* new round of audio cleanups

* various shadowed local variable fixes in vl, mptsas, pm_smbus, target/i386 * remove deprecated pc-i440fx-1.4 up to pc-i440fx-1.7 * remove PCI drivers from 128K bios.bin * remove unused variable in user-exec-stub.c * small fixes for ui/vnc * scsi-disk: Disallow block sizes smaller than 512 [CVE-2023-42467] -----BEGIN PGP SIGNATURE----- iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmUTDaoUHHBib256aW5p QHJlZGhhdC5jb20ACgkQv/vSX3jHroMvEgf+NrSaP4pmHrYcVtm43fnKXoLHFrCx KYfoK9Lke/DDkTff6rrcfW/Wyqid6Pp9Ch4Rrpr/X71X5gi+c6xb5klC8cpSfLg4 gtuGctj7WL7KR/067EsLqHvzBob/iebFhZwhtsBrI+z65X+J9pOK78efBTdhezq4 EEHTWohMAg1I/MWBK5VnOk2fI4+9z9K9zP5AtWmJzwwJkQUoEyl+YDkVmIhMYoGn CapRO7i2wIvtoF4wuQUCGsOLmrcWTvRIOcV13k3b6PYCPC40/N9AOpiiyg3XqNah UKKM9CcgVnCzCc4Jar2QD+MzkTDxhmQSyLFJgtzrW7CQSE5YB3sUHj3CXg== =8nvs -----END PGP SIGNATURE----- Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging * new round of audio cleanups * various shadowed local variable fixes in vl, mptsas, pm_smbus, target/i386 * remove deprecated pc-i440fx-1.4 up to pc-i440fx-1.7 * remove PCI drivers from 128K bios.bin * remove unused variable in user-exec-stub.c * small fixes for ui/vnc * scsi-disk: Disallow block sizes smaller than 512 [CVE-2023-42467] # -----BEGIN PGP SIGNATURE----- # # iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmUTDaoUHHBib256aW5p # QHJlZGhhdC5jb20ACgkQv/vSX3jHroMvEgf+NrSaP4pmHrYcVtm43fnKXoLHFrCx # KYfoK9Lke/DDkTff6rrcfW/Wyqid6Pp9Ch4Rrpr/X71X5gi+c6xb5klC8cpSfLg4 # gtuGctj7WL7KR/067EsLqHvzBob/iebFhZwhtsBrI+z65X+J9pOK78efBTdhezq4 # EEHTWohMAg1I/MWBK5VnOk2fI4+9z9K9zP5AtWmJzwwJkQUoEyl+YDkVmIhMYoGn # CapRO7i2wIvtoF4wuQUCGsOLmrcWTvRIOcV13k3b6PYCPC40/N9AOpiiyg3XqNah # UKKM9CcgVnCzCc4Jar2QD+MzkTDxhmQSyLFJgtzrW7CQSE5YB3sUHj3CXg== # =8nvs # -----END PGP SIGNATURE----- # gpg: Signature made Tue 26 Sep 2023 12:58:18 EDT # gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83 # gpg: issuer "pbonzini@redhat.com" # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [full] # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" [full] # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * tag 'for-upstream' of https://gitlab.com/bonzini/qemu: audio: remove shadowed locals compiler: introduce QEMU_ANNOTATE block: mark mixed functions that can suspend target/i386/svm_helper: eliminate duplicate local variable target/i386/seg_helper: remove shadowed variable target/i386/seg_helper: introduce tss_set_busy target/i386/translate: avoid shadowed local variables target/i386/cpu: avoid shadowed local variables target/i386/kvm: eliminate shadowed local variables m48t59-test: avoid possible overflow on ABS pm_smbus: rename variable to avoid shadowing mptsas: avoid shadowed local variables ui/vnc: fix handling of VNC_FEATURE_XVP ui/vnc: fix debug output for invalid audio message vl: remove shadowed local variables hw/scsi/scsi-disk: Disallow block sizes smaller than 512 [CVE-2023-42467] user-exec-stub: remove unused variable seabios: remove PCI drivers from bios.bin pc_piix: remove pc-i440fx-1.4 up to pc-i440fx-1.7 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2023-09-27 13:55:18 -04:00 · 2023-09-27 13:55:18 -04:00 · 5dfd80e38b
commit 5dfd80e38b
parent 11a629d246 417f8c8ebf
26 changed files with 103 additions and 237 deletions
--- a/accel/tcg/user-exec-stub.c
+++ b/accel/tcg/user-exec-stub.c
@ -2,8 +2,6 @@
 #include "hw/core/cpu.h"
 #include "exec/replay-core.h"
 bool enable_cpu_pm = false;
 void cpu_resume(CPUState *cpu)
 {
 }
--- a/audio/audio.c
+++ b/audio/audio.c
@ -1706,7 +1706,7 @@ static AudioState *audio_init(Audiodev *dev, const char *name)
    size_t i;
    int done = 0;
    const char *drvname = NULL;
-    VMChangeStateEntry *e;
+    VMChangeStateEntry *vmse;
    AudioState *s;
    struct audio_driver *driver;
    /* silence gcc warning about uninitialized variable */
@ -1824,8 +1824,8 @@ static AudioState *audio_init(Audiodev *dev, const char *name)
        s->period_ticks = dev->timer_period * (int64_t)SCALE_US;
    }
-    e = qemu_add_vm_change_state_handler (audio_vm_change_state_handler, s);
+    vmse = qemu_add_vm_change_state_handler (audio_vm_change_state_handler, s);
-    if (!e) {
+    if (!vmse) {
        dolog ("warning: Could not register change state handler\n"
               "(Audio can continue looping even after stopping the VM)\n");
    }
@ -1900,10 +1900,8 @@ CaptureVoiceOut *AUD_add_capture(
    cap = audio_pcm_capture_find_specific(s, as);
    if (cap) {
        QLIST_INSERT_HEAD (&cap->cb_head, cb, entries);
        return cap;
    } else {
        HWVoiceOut *hw;
        CaptureVoiceOut *cap;
        cap = g_malloc0(sizeof(*cap));
@ -1937,8 +1935,9 @@ CaptureVoiceOut *AUD_add_capture(
        QLIST_FOREACH(hw, &s->hw_head_out, entries) {
            audio_attach_capture (hw);
        }
        return cap;
    }
    return cap;
 }
 void AUD_del_capture (CaptureVoiceOut *cap, void *cb_opaque)
--- a/block/io.c
+++ b/block/io.c
@ -387,7 +387,8 @@ void bdrv_do_drained_begin_quiesce(BlockDriverState *bs, BdrvChild *parent)
    bdrv_do_drained_begin(bs, parent, false);
 }
-void bdrv_drained_begin(BlockDriverState *bs)
+void coroutine_mixed_fn
 bdrv_drained_begin(BlockDriverState *bs)
 {
    IO_OR_GS_CODE();
    bdrv_do_drained_begin(bs, NULL, true);
@ -506,7 +507,7 @@ void bdrv_drain_all_begin_nopoll(void)
    }
 }
-void bdrv_drain_all_begin(void)
+void coroutine_mixed_fn bdrv_drain_all_begin(void)
 {
    BlockDriverState *bs = NULL;
--- a/block/qcow2.c
+++ b/block/qcow2.c
@ -5288,7 +5288,7 @@ static ImageInfoSpecific *qcow2_get_specific_info(BlockDriverState *bs,
    return spec_info;
 }
-static int qcow2_has_zero_init(BlockDriverState *bs)
+static int coroutine_mixed_fn qcow2_has_zero_init(BlockDriverState *bs)
 {
    BDRVQcow2State *s = bs->opaque;
    bool preallocated;
--- a/block/qed.c
+++ b/block/qed.c
@ -570,8 +570,8 @@ static void coroutine_fn bdrv_qed_open_entry(void *opaque)
    qemu_co_mutex_unlock(&s->table_lock);
 }
-static int bdrv_qed_open(BlockDriverState *bs, QDict *options, int flags,
+static int coroutine_mixed_fn bdrv_qed_open(BlockDriverState *bs, QDict *options,
-                         Error **errp)
+                                            int flags, Error **errp)
 {
    QEDOpenCo qoc = {
        .bs = bs,
--- a/block/throttle-groups.c
+++ b/block/throttle-groups.c
@ -317,7 +317,7 @@ static bool coroutine_fn throttle_group_co_restart_queue(ThrottleGroupMember *tg
 * @tgm:       the current ThrottleGroupMember
 * @direction: the ThrottleDirection
 */
-static void schedule_next_request(ThrottleGroupMember *tgm,
+static void coroutine_mixed_fn schedule_next_request(ThrottleGroupMember *tgm,
                                                     ThrottleDirection direction)
 {
    ThrottleState *ts = tgm->throttle_state;
--- a/docs/about/deprecated.rst
+++ b/docs/about/deprecated.rst
@ -277,14 +277,6 @@ deprecated; use the new name ``dtb-randomness`` instead. The new name
 better reflects the way this property affects all random data within
 the device tree blob, not just the ``kaslr-seed`` node.
 ``pc-i440fx-1.4`` up to ``pc-i440fx-1.7`` (since 7.0)
 '''''''''''''''''''''''''''''''''''''''''''''''''''''
 These old machine types are quite neglected nowadays and thus might have
 various pitfalls with regards to live migration. Use a newer machine type
 instead.
 Backend options
 ---------------
--- a/docs/about/removed-features.rst
+++ b/docs/about/removed-features.rst
@ -715,8 +715,8 @@ mips ``fulong2e`` machine alias (removed in 6.0)
 This machine has been renamed ``fuloong2e``.
-``pc-0.10`` up to ``pc-1.3`` (removed in 4.0 up to 6.0)
+``pc-0.10`` up to ``pc-i440fx-1.7`` (removed in 4.0 up to 8.2)
-'''''''''''''''''''''''''''''''''''''''''''''''''''''''
+''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
 These machine types were very old and likely could not be used for live
 migration from old QEMU versions anymore. Use a newer machine type instead.
--- a/hw/i2c/pm_smbus.c
+++ b/hw/i2c/pm_smbus.c
@ -279,7 +279,7 @@ static void smb_ioport_writeb(void *opaque, hwaddr addr, uint64_t val,
            if (!read && s->smb_index == s->smb_data0) {
                uint8_t prot = (s->smb_ctl >> 2) & 0x07;
                uint8_t cmd = s->smb_cmd;
-                uint8_t addr = s->smb_addr >> 1;
+                uint8_t smb_addr = s->smb_addr >> 1;
                int ret;
                if (prot == PROT_I2C_BLOCK_READ) {
@ -287,7 +287,7 @@ static void smb_ioport_writeb(void *opaque, hwaddr addr, uint64_t val,
                    goto out;
                }
-                ret = smbus_write_block(s->smbus, addr, cmd, s->smb_data,
+                ret = smbus_write_block(s->smbus, smb_addr, cmd, s->smb_data,
                                        s->smb_data0, !s->i2c_enable);
                if (ret < 0) {
                    s->smb_stat |= STS_DEV_ERR;
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@ -359,60 +359,6 @@ GlobalProperty pc_compat_2_0[] = {
 };
 const size_t pc_compat_2_0_len = G_N_ELEMENTS(pc_compat_2_0);
 GlobalProperty pc_compat_1_7[] = {
    PC_CPU_MODEL_IDS("1.7.0")
    { TYPE_USB_DEVICE, "msos-desc", "no" },
    { "PIIX4_PM", ACPI_PM_PROP_ACPI_PCIHP_BRIDGE, "off" },
    { "hpet", HPET_INTCAP, "4" },
 };
 const size_t pc_compat_1_7_len = G_N_ELEMENTS(pc_compat_1_7);
 GlobalProperty pc_compat_1_6[] = {
    PC_CPU_MODEL_IDS("1.6.0")
    { "e1000", "mitigation", "off" },
    { "qemu64-" TYPE_X86_CPU, "model", "2" },
    { "qemu32-" TYPE_X86_CPU, "model", "3" },
    { "i440FX-pcihost", "short_root_bus", "1" },
    { "q35-pcihost", "short_root_bus", "1" },
 };
 const size_t pc_compat_1_6_len = G_N_ELEMENTS(pc_compat_1_6);
 GlobalProperty pc_compat_1_5[] = {
    PC_CPU_MODEL_IDS("1.5.0")
    { "Conroe-" TYPE_X86_CPU, "model", "2" },
    { "Conroe-" TYPE_X86_CPU, "min-level", "2" },
    { "Penryn-" TYPE_X86_CPU, "model", "2" },
    { "Penryn-" TYPE_X86_CPU, "min-level", "2" },
    { "Nehalem-" TYPE_X86_CPU, "model", "2" },
    { "Nehalem-" TYPE_X86_CPU, "min-level", "2" },
    { "virtio-net-pci", "any_layout", "off" },
    { TYPE_X86_CPU, "pmu", "on" },
    { "i440FX-pcihost", "short_root_bus", "0" },
    { "q35-pcihost", "short_root_bus", "0" },
 };
 const size_t pc_compat_1_5_len = G_N_ELEMENTS(pc_compat_1_5);
 GlobalProperty pc_compat_1_4[] = {
    PC_CPU_MODEL_IDS("1.4.0")
    { "scsi-hd", "discard_granularity", "0" },
    { "scsi-cd", "discard_granularity", "0" },
    { "ide-hd", "discard_granularity", "0" },
    { "ide-cd", "discard_granularity", "0" },
    { "virtio-blk-pci", "discard_granularity", "0" },
    /* DEV_NVECTORS_UNSPECIFIED as a uint32_t string: */
    { "virtio-serial-pci", "vectors", "0xFFFFFFFF" },
    { "virtio-net-pci", "ctrl_guest_offloads", "off" },
    { "e1000", "romfile", "pxe-e1000.rom" },
    { "ne2k_pci", "romfile", "pxe-ne2k_pci.rom" },
    { "pcnet", "romfile", "pxe-pcnet.rom" },
    { "rtl8139", "romfile", "pxe-rtl8139.rom" },
    { "virtio-net-pci", "romfile", "pxe-virtio.rom" },
    { "486-" TYPE_X86_CPU, "model", "0" },
    { "n270" "-" TYPE_X86_CPU, "movbe", "off" },
    { "Westmere" "-" TYPE_X86_CPU, "pclmulqdq", "off" },
 };
 const size_t pc_compat_1_4_len = G_N_ELEMENTS(pc_compat_1_4);
 GSIState *pc_gsi_create(qemu_irq **irqs, bool pci_enabled)
 {
    GSIState *s;
@ -1293,9 +1239,9 @@ void pc_basic_device_init(struct PCMachineState *pcms,
            exit(1);
        }
        /*
-         * For pc-piix-*, hpet's intcap is always IRQ2. For pc-q35-1.7 and
+         * For pc-piix-*, hpet's intcap is always IRQ2. For pc-q35-*,
-         * earlier, use IRQ2 for compat. Otherwise, use IRQ16~23, IRQ8 and
+         * use IRQ16~23, IRQ8 and IRQ2.  If the user has already set
-         * IRQ2.
+         * the property, use whatever mask they specified.
         */
        uint8_t compat = object_property_get_uint(OBJECT(hpet),
                HPET_INTCAP, NULL);
--- a/hw/i386/pc_piix.c
+++ b/hw/i386/pc_piix.c
@ -423,27 +423,6 @@ static void pc_compat_2_0_fn(MachineState *machine)
    pc_compat_2_1_fn(machine);
 }
 static void pc_compat_1_7_fn(MachineState *machine)
 {
    pc_compat_2_0_fn(machine);
    x86_cpu_change_kvm_default("x2apic", NULL);
 }
 static void pc_compat_1_6_fn(MachineState *machine)
 {
    pc_compat_1_7_fn(machine);
 }
 static void pc_compat_1_5_fn(MachineState *machine)
 {
    pc_compat_1_6_fn(machine);
 }
 static void pc_compat_1_4_fn(MachineState *machine)
 {
    pc_compat_1_5_fn(machine);
 }
 #ifdef CONFIG_ISAPC
 static void pc_init_isa(MachineState *machine)
 {
@ -876,58 +855,6 @@ static void pc_i440fx_2_0_machine_options(MachineClass *m)
 DEFINE_I440FX_MACHINE(v2_0, "pc-i440fx-2.0", pc_compat_2_0_fn,
                      pc_i440fx_2_0_machine_options);
 static void pc_i440fx_1_7_machine_options(MachineClass *m)
 {
    PCMachineClass *pcmc = PC_MACHINE_CLASS(m);
    pc_i440fx_2_0_machine_options(m);
    m->hw_version = "1.7.0";
    m->default_machine_opts = NULL;
    m->option_rom_has_mr = true;
    m->deprecation_reason = "old and unattended - use a newer version instead";
    compat_props_add(m->compat_props, pc_compat_1_7, pc_compat_1_7_len);
    pcmc->smbios_defaults = false;
    pcmc->gigabyte_align = false;
    pcmc->legacy_acpi_table_size = 6414;
 }
 DEFINE_I440FX_MACHINE(v1_7, "pc-i440fx-1.7", pc_compat_1_7_fn,
                      pc_i440fx_1_7_machine_options);
 static void pc_i440fx_1_6_machine_options(MachineClass *m)
 {
    PCMachineClass *pcmc = PC_MACHINE_CLASS(m);
    pc_i440fx_1_7_machine_options(m);
    m->hw_version = "1.6.0";
    m->rom_file_has_mr = false;
    compat_props_add(m->compat_props, pc_compat_1_6, pc_compat_1_6_len);
    pcmc->has_acpi_build = false;
 }
 DEFINE_I440FX_MACHINE(v1_6, "pc-i440fx-1.6", pc_compat_1_6_fn,
                      pc_i440fx_1_6_machine_options);
 static void pc_i440fx_1_5_machine_options(MachineClass *m)
 {
    pc_i440fx_1_6_machine_options(m);
    m->hw_version = "1.5.0";
    compat_props_add(m->compat_props, pc_compat_1_5, pc_compat_1_5_len);
 }
 DEFINE_I440FX_MACHINE(v1_5, "pc-i440fx-1.5", pc_compat_1_5_fn,
                      pc_i440fx_1_5_machine_options);
 static void pc_i440fx_1_4_machine_options(MachineClass *m)
 {
    pc_i440fx_1_5_machine_options(m);
    m->hw_version = "1.4.0";
    compat_props_add(m->compat_props, pc_compat_1_4, pc_compat_1_4_len);
 }
 DEFINE_I440FX_MACHINE(v1_4, "pc-i440fx-1.4", pc_compat_1_4_fn,
                      pc_i440fx_1_4_machine_options);
 #ifdef CONFIG_ISAPC
 static void isapc_machine_options(MachineClass *m)
 {
--- a/hw/scsi/mptsas.c
+++ b/hw/scsi/mptsas.c
@ -192,7 +192,7 @@ static dma_addr_t mptsas_ld_sg_base(MPTSASState *s, uint32_t flags_and_length,
    return addr;
 }
-static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr)
+static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr req_addr)
 {
    PCIDevice *pci = (PCIDevice *) s;
    hwaddr next_chain_addr;
@ -201,8 +201,8 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr)
    uint32_t chain_offset;
    chain_offset = req->scsi_io.ChainOffset;
-    next_chain_addr = addr + chain_offset * sizeof(uint32_t);
+    next_chain_addr = req_addr + chain_offset * sizeof(uint32_t);
-    sgaddr = addr + sizeof(MPIMsgSCSIIORequest);
+    sgaddr = req_addr + sizeof(MPIMsgSCSIIORequest);
    pci_dma_sglist_init(&req->qsg, pci, 4);
    left = req->scsi_io.DataLength;
--- a/hw/scsi/scsi-disk.c
+++ b/hw/scsi/scsi-disk.c
@ -1628,9 +1628,10 @@ static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf)
         * Since the existing code only checks/updates bits 8-15 of the block
         * size, restrict ourselves to the same requirement for now to ensure
         * that a block size set by a block descriptor and then read back by
-         * a subsequent SCSI command will be the same
+         * a subsequent SCSI command will be the same. Also disallow a block
         * size of 256 since we cannot handle anything below BDRV_SECTOR_SIZE.
         */
-        if (bs && !(bs & ~0xff00) && bs != s->qdev.blocksize) {
+        if (bs && !(bs & ~0xfe00) && bs != s->qdev.blocksize) {
            s->qdev.blocksize = bs;
            trace_scsi_disk_mode_select_set_blocksize(s->qdev.blocksize);
        }
--- a/include/qemu/compiler.h
+++ b/include/qemu/compiler.h
@ -197,4 +197,10 @@
 #define BUILTIN_SUBCLL_BROKEN
 #endif
 #if __has_attribute(annotate)
 #define QEMU_ANNOTATE(x) __attribute__((annotate(x)))
 #else
 #define QEMU_ANNOTATE(x)
 #endif
 #endif /* COMPILER_H */
--- a/include/qemu/osdep.h
+++ b/include/qemu/osdep.h
@ -185,7 +185,7 @@ extern "C" {
 *   }
 */
 #ifdef __clang__
-#define coroutine_fn __attribute__((__annotate__("coroutine_fn")))
+#define coroutine_fn QEMU_ANNOTATE("coroutine_fn")
 #else
 #define coroutine_fn
 #endif
@ -195,7 +195,7 @@ extern "C" {
 * but can handle running in non-coroutine context too.
 */
 #ifdef __clang__
-#define coroutine_mixed_fn __attribute__((__annotate__("coroutine_mixed_fn")))
+#define coroutine_mixed_fn QEMU_ANNOTATE("coroutine_mixed_fn")
 #else
 #define coroutine_mixed_fn
 #endif
@ -224,7 +224,7 @@ extern "C" {
 *   }
 */
 #ifdef __clang__
-#define no_coroutine_fn __attribute__((__annotate__("no_coroutine_fn")))
+#define no_coroutine_fn QEMU_ANNOTATE("no_coroutine_fn")
 #else
 #define no_coroutine_fn
 #endif
--- a/pc-bios/bios.bin
+++ b/pc-bios/bios.bin
--- a/roms/config.seabios-128k
+++ b/roms/config.seabios-128k
@ -1,21 +1,30 @@
-# for qemu machine types 1.7 + older
+# SeaBIOS Configuration for -M isapc
-# need to turn off features (xhci,uas) to make it fit into 128k
+
 CONFIG_QEMU=y
 CONFIG_ROM_SIZE=128
 CONFIG_ATA_DMA=n
 CONFIG_BOOTSPLASH=n
 CONFIG_XEN=n
-CONFIG_USB_OHCI=n
+CONFIG_ATA_PIO32=n
-CONFIG_USB_XHCI=n
+CONFIG_AHCI=n
 CONFIG_USB_UAS=n
 CONFIG_SDCARD=n
-CONFIG_TCGBIOS=n
+CONFIG_VIRTIO_BLK=n
-CONFIG_MPT_SCSI=n
+CONFIG_VIRTIO_SCSI=n
 CONFIG_ESP_SCSI=n
 CONFIG_MEGASAS=n
 CONFIG_PVSCSI=n
 CONFIG_ESP_SCSI=n
 CONFIG_LSI_SCSI=n
 CONFIG_MEGASAS=n
 CONFIG_MPT_SCSI=n
 CONFIG_NVME=n
 CONFIG_USE_SMM=n
 CONFIG_VGAHOOKS=n
 CONFIG_HOST_BIOS_GEOMETRY=n
 CONFIG_USB=n
 CONFIG_PMTIMER=n
 CONFIG_PCIBIOS=n
 CONFIG_DISABLE_A20=n
 CONFIG_WRITABLE_UPPERMEMORY=n
 CONFIG_TCGBIOS=n
 CONFIG_ACPI=n
 CONFIG_ACPI_PARSE=n
 CONFIG_DEBUG_SERIAL=n
 CONFIG_DEBUG_SERIAL_MMIO=n
--- a/softmmu/vl.c
+++ b/softmmu/vl.c
@ -3214,7 +3214,6 @@ void qemu_init(int argc, char **argv)
                }
                break;
            case QEMU_OPTION_watchdog_action: {
                QemuOpts *opts;
                opts = qemu_opts_create(qemu_find_opts("action"), NULL, 0, &error_abort);
                qemu_opt_set(opts, "watchdog", optarg, &error_abort);
                break;
@ -3525,16 +3524,16 @@ void qemu_init(int argc, char **argv)
                break;
            case QEMU_OPTION_compat:
                {
-                    CompatPolicy *opts;
+                    CompatPolicy *opts_policy;
                    Visitor *v;
                    v = qobject_input_visitor_new_str(optarg, NULL,
                                                      &error_fatal);
-                    visit_type_CompatPolicy(v, NULL, &opts, &error_fatal);
+                    visit_type_CompatPolicy(v, NULL, &opts_policy, &error_fatal);
-                    QAPI_CLONE_MEMBERS(CompatPolicy, &compat_policy, opts);
+                    QAPI_CLONE_MEMBERS(CompatPolicy, &compat_policy, opts_policy);
-                    qapi_free_CompatPolicy(opts);
+                    qapi_free_CompatPolicy(opts_policy);
                    visit_free(v);
                    break;
                }
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@ -5976,9 +5976,10 @@ static void x86_register_cpudef_types(const X86CPUDefinition *def)
    /* Versioned models: */
    for (vdef = x86_cpu_def_get_versions(def); vdef->version; vdef++) {
        X86CPUModel *m = g_new0(X86CPUModel, 1);
        g_autofree char *name =
            x86_cpu_versioned_model_name(def, vdef->version);
        m = g_new0(X86CPUModel, 1);
        m->cpudef = def;
        m->version = vdef->version;
        m->note = vdef->note;
--- a/target/i386/kvm/kvm.c
+++ b/target/i386/kvm/kvm.c
@ -2699,8 +2699,6 @@ int kvm_arch_init(MachineState *ms, KVMState *s)
    if (enable_cpu_pm) {
        int disable_exits = kvm_check_extension(s, KVM_CAP_X86_DISABLE_EXITS);
        int ret;
 /* Work around for kernel header with a typo. TODO: fix header and drop. */
 #if defined(KVM_X86_DISABLE_EXITS_HTL) && !defined(KVM_X86_DISABLE_EXITS_HLT)
 #define KVM_X86_DISABLE_EXITS_HLT KVM_X86_DISABLE_EXITS_HTL
@ -3610,7 +3608,7 @@ static int kvm_put_msrs(X86CPU *cpu, int level)
        if (kvm_enabled() && cpu->enable_pmu &&
            (env->features[FEAT_7_0_EDX] & CPUID_7_0_EDX_ARCH_LBR)) {
            uint64_t depth;
-            int i, ret;
+            int ret;
            /*
             * Only migrate Arch LBR states when the host Arch LBR depth
@ -3643,8 +3641,6 @@ static int kvm_put_msrs(X86CPU *cpu, int level)
    }
    if (env->mcg_cap) {
        int i;
        kvm_msr_entry_add(cpu, MSR_MCG_STATUS, env->mcg_status);
        kvm_msr_entry_add(cpu, MSR_MCG_CTL, env->mcg_ctl);
        if (has_msr_mcg_ext_ctl) {
@ -4041,7 +4037,6 @@ static int kvm_get_msrs(X86CPU *cpu)
    if (kvm_enabled() && cpu->enable_pmu &&
        (env->features[FEAT_7_0_EDX] & CPUID_7_0_EDX_ARCH_LBR)) {
        uint64_t depth;
        int i, ret;
        ret = kvm_get_one_msr(cpu, MSR_ARCH_LBR_DEPTH, &depth);
        if (ret == 1 && depth == ARCH_LBR_NR_ENTRIES) {
--- a/target/i386/tcg/seg_helper.c
+++ b/target/i386/tcg/seg_helper.c
@ -226,12 +226,27 @@ static void tss_load_seg(CPUX86State *env, X86Seg seg_reg, int selector,
    }
 }
 static void tss_set_busy(CPUX86State *env, int tss_selector, bool value,
                         uintptr_t retaddr)
 {
    target_ulong ptr = env->gdt.base + (env->tr.selector & ~7);
    uint32_t e2 = cpu_ldl_kernel_ra(env, ptr + 4, retaddr);
    if (value) {
        e2 |= DESC_TSS_BUSY_MASK;
    } else {
        e2 &= ~DESC_TSS_BUSY_MASK;
    }
    cpu_stl_kernel_ra(env, ptr + 4, e2, retaddr);
 }
 #define SWITCH_TSS_JMP  0
 #define SWITCH_TSS_IRET 1
 #define SWITCH_TSS_CALL 2
-/* XXX: restore CPU state in registers (PowerPC case) */
+/* return 0 if switching to a 16-bit selector */
-static void switch_tss_ra(CPUX86State *env, int tss_selector,
+static int switch_tss_ra(CPUX86State *env, int tss_selector,
                         uint32_t e1, uint32_t e2, int source,
                         uint32_t next_eip, uintptr_t retaddr)
 {
@ -341,13 +356,7 @@ static void switch_tss_ra(CPUX86State *env, int tss_selector,
    /* clear busy bit (it is restartable) */
    if (source == SWITCH_TSS_JMP || source == SWITCH_TSS_IRET) {
-        target_ulong ptr;
+        tss_set_busy(env, env->tr.selector, 0, retaddr);
        uint32_t e2;
        ptr = env->gdt.base + (env->tr.selector & ~7);
        e2 = cpu_ldl_kernel_ra(env, ptr + 4, retaddr);
        e2 &= ~DESC_TSS_BUSY_MASK;
        cpu_stl_kernel_ra(env, ptr + 4, e2, retaddr);
    }
    old_eflags = cpu_compute_eflags(env);
    if (source == SWITCH_TSS_IRET) {
@ -399,13 +408,7 @@ static void switch_tss_ra(CPUX86State *env, int tss_selector,
    /* set busy bit */
    if (source == SWITCH_TSS_JMP || source == SWITCH_TSS_CALL) {
-        target_ulong ptr;
+        tss_set_busy(env, tss_selector, 1, retaddr);
        uint32_t e2;
        ptr = env->gdt.base + (tss_selector & ~7);
        e2 = cpu_ldl_kernel_ra(env, ptr + 4, retaddr);
        e2 |= DESC_TSS_BUSY_MASK;
        cpu_stl_kernel_ra(env, ptr + 4, e2, retaddr);
    }
    /* set the new CPU state */
@ -499,13 +502,14 @@ static void switch_tss_ra(CPUX86State *env, int tss_selector,
        cpu_x86_update_dr7(env, env->dr[7] & ~DR7_LOCAL_BP_MASK);
    }
 #endif
    return type >> 3;
 }
-static void switch_tss(CPUX86State *env, int tss_selector,
+static int switch_tss(CPUX86State *env, int tss_selector,
                      uint32_t e1, uint32_t e2, int source,
                      uint32_t next_eip)
 {
-    switch_tss_ra(env, tss_selector, e1, e2, source, next_eip, 0);
+    return switch_tss_ra(env, tss_selector, e1, e2, source, next_eip, 0);
 }
 static inline unsigned int get_sp_mask(unsigned int e2)
@ -647,14 +651,11 @@ static void do_interrupt_protected(CPUX86State *env, int intno, int is_int,
        if (!(e2 & DESC_P_MASK)) {
            raise_exception_err(env, EXCP0B_NOSEG, intno * 8 + 2);
        }
-        switch_tss(env, intno * 8, e1, e2, SWITCH_TSS_CALL, old_eip);
+        shift = switch_tss(env, intno * 8, e1, e2, SWITCH_TSS_CALL, old_eip);
        if (has_error_code) {
            int type;
            uint32_t mask;
            /* push the error code */
            type = (env->tr.flags >> DESC_TYPE_SHIFT) & 0xf;
            shift = type >> 3;
            if (env->segs[R_SS].flags & DESC_B_MASK) {
                mask = 0xffffffff;
            } else {
--- a/target/i386/tcg/sysemu/svm_helper.c
+++ b/target/i386/tcg/sysemu/svm_helper.c
@ -387,8 +387,6 @@ void helper_vmrun(CPUX86State *env, int aflag, int next_eip_addend)
    env->hflags2 |= HF2_GIF_MASK;
    if (ctl_has_irq(env)) {
        CPUState *cs = env_cpu(env);
        cs->interrupt_request |= CPU_INTERRUPT_VIRQ;
    }
--- a/target/i386/tcg/translate.c
+++ b/target/i386/tcg/translate.c
@ -3242,7 +3242,7 @@ static bool disas_insn(DisasContext *s, CPUState *cpu)
    case 0x30 ... 0x35:
    case 0x38 ... 0x3d:
        {
-            int op, f, val;
+            int f;
            op = (b >> 3) & 7;
            f = (b >> 1) & 3;
@ -3302,8 +3302,6 @@ static bool disas_insn(DisasContext *s, CPUState *cpu)
    case 0x81:
    case 0x83:
        {
            int val;
            ot = mo_b_d(b, dflag);
            modrm = x86_ldub_code(env, s);
--- a/tests/qtest/m48t59-test.c
+++ b/tests/qtest/m48t59-test.c
@ -192,19 +192,22 @@ static void bcd_check_time(void)
    }
    if (!(tm_cmp(&start, datep) <= 0 && tm_cmp(datep, &end) <= 0)) {
-        long t, s;
+        long date_s, start_s;
        unsigned long diff;
        start.tm_isdst = datep->tm_isdst;
-        t = (long)mktime(datep);
+        date_s = (long)mktime(datep);
-        s = (long)mktime(&start);
+        start_s = (long)mktime(&start);
-        if (t < s) {
+        if (date_s < start_s) {
-            g_test_message("RTC is %ld second(s) behind wall-clock", (s - t));
+            diff = start_s - date_s;
            g_test_message("RTC is %ld second(s) behind wall-clock", diff);
        } else {
-            g_test_message("RTC is %ld second(s) ahead of wall-clock", (t - s));
+            diff = date_s - start_s;
            g_test_message("RTC is %ld second(s) ahead of wall-clock", diff);
        }
-        g_assert_cmpint(ABS(t - s), <=, wiggle);
+        g_assert_cmpint(diff, <=, wiggle);
    }
    qtest_quit(qts);
--- a/tests/qtest/test-x86-cpuid-compat.c
+++ b/tests/qtest/test-x86-cpuid-compat.c
@ -313,18 +313,10 @@ int main(int argc, char **argv)
                       "xlevel2", 0);
    }
    /*
-     * QEMU 1.4.0 had auto-level enabled for CPUID[7], already,
+     * QEMU 2.3.0 had auto-level enabled for CPUID[7], already,
     * and the compat code that sets default level shouldn't
     * disable the auto-level=7 code:
     */
    if (qtest_has_machine("pc-i440fx-1.4")) {
        add_cpuid_test("x86/cpuid/auto-level7/pc-i440fx-1.4/off",
                       "-machine pc-i440fx-1.4 -cpu Nehalem",
                       "level", 2);
        add_cpuid_test("x86/cpuid/auto-level7/pc-i440fx-1.5/on",
                       "-machine pc-i440fx-1.4 -cpu Nehalem,smap=on",
                       "level", 7);
    }
    if (qtest_has_machine("pc-i440fx-2.3")) {
        add_cpuid_test("x86/cpuid/auto-level7/pc-i440fx-2.3/off",
                       "-machine pc-i440fx-2.3 -cpu Penryn",
--- a/ui/vnc.c
+++ b/ui/vnc.c
@ -2205,7 +2205,7 @@ static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
            break;
        case VNC_ENCODING_XVP:
            if (vs->vd->power_control) {
-                vs->features |= VNC_FEATURE_XVP;
+                vs->features |= VNC_FEATURE_XVP_MASK;
                send_xvp_message(vs, VNC_XVP_CODE_INIT);
            }
            break;
@ -2454,7 +2454,7 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
        vnc_client_cut_text(vs, read_u32(data, 4), data + 8);
        break;
    case VNC_MSG_CLIENT_XVP:
-        if (!(vs->features & VNC_FEATURE_XVP)) {
+        if (!vnc_has_feature(vs, VNC_FEATURE_XVP)) {
            error_report("vnc: xvp client message while disabled");
            vnc_client_error(vs);
            break;
@ -2551,7 +2551,7 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
                    vs, vs->ioc, vs->as.fmt, vs->as.nchannels, vs->as.freq);
                break;
            default:
-                VNC_DEBUG("Invalid audio message %d\n", read_u8(data, 4));
+                VNC_DEBUG("Invalid audio message %d\n", read_u8(data, 2));
                vnc_client_error(vs);
                break;
            }