14 files changed, 159 insertions, 67 deletions

diff --git a/MAINTAINERS b/MAINTAINERS
index bf77713776..97c9fa1f7f 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -52,6 +52,13 @@ General Project Administration
 ------------------------------
 M: Anthony Liguori <aliguori@amazon.com>
 
+Responsible Disclosure, Reporting Security Issues
+------------------------------
+W: http://wiki.qemu.org/SecurityProcess
+M: Michael S. Tsirkin <mst@redhat.com>
+M: Anthony Liguori <aliguori@amazon.com>
+L: secalert@redhat.com
+
 Guest CPU cores (TCG):
 ----------------------
 Alpha
diff --git a/configure b/configure
index 8c50d78f87..b18f531606 100755
--- a/configure
+++ b/configure
@@ -403,6 +403,14 @@ fi
 # make source path absolute
 source_path=`cd "$source_path"; pwd`
 
+# running configure in the source tree?
+# we know that's the case if configure is there.
+if test -f "./configure"; then
+    pwd_is_source_path="y"
+else
+    pwd_is_source_path="n"
+fi
+
 check_define() {
 cat > $TMPC <<EOF
 #if !defined($1)
@@ -2940,7 +2948,7 @@ EOF
     fdt=yes
     dtc_internal="yes"
     mkdir -p dtc
-    if [ "$source_path" != `pwd` ] ; then
+    if [ "$pwd_is_source_path" != "y" ] ; then
        symlink "$source_path/dtc/Makefile" "dtc/Makefile"
        symlink "$source_path/dtc/scripts" "dtc/scripts"
     fi
@@ -5176,7 +5184,7 @@ do
 done
 mkdir -p $DIRS
 for f in $FILES ; do
-    if [ -e "$source_path/$f" ] && [ "$source_path" != `pwd` ]; then
+    if [ -e "$source_path/$f" ] && [ "$pwd_is_source_path" != "y" ]; then
         symlink "$source_path/$f" "$f"
     fi
 done
diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c
index f80c48008c..3b143b371b 100644
--- a/hw/acpi/pcihp.c
+++ b/hw/acpi/pcihp.c
@@ -63,16 +63,18 @@ typedef struct AcpiPciHpFind {
 
 static int acpi_pcihp_get_bsel(PCIBus *bus)
 {
-    QObject *o = object_property_get_qobject(OBJECT(bus),
-                                             ACPI_PCIHP_PROP_BSEL, NULL);
-    int64_t bsel = -1;
-    if (o) {
-        bsel = qint_get_int(qobject_to_qint(o));
-    }
-    if (bsel < 0) {
+    Error *local_err = NULL;
+    int64_t bsel = object_property_get_int(OBJECT(bus), ACPI_PCIHP_PROP_BSEL,
+                                           &local_err);
+
+    if (local_err || bsel < 0 || bsel >= ACPI_PCIHP_MAX_HOTPLUG_BUS) {
+        if (local_err) {
+            error_free(local_err);
+        }
         return -1;
+    } else {
+        return bsel;
     }
-    return bsel;
 }
 
 static void acpi_pcihp_test_hotplug_bus(PCIBus *bus, void *opaque)
diff --git a/hw/i2c/pm_smbus.c b/hw/i2c/pm_smbus.c
index 9f50067735..fedb5fb4d4 100644
--- a/hw/i2c/pm_smbus.c
+++ b/hw/i2c/pm_smbus.c
@@ -60,59 +60,78 @@ static void smb_transaction(PMSMBus *s)
     uint8_t cmd = s->smb_cmd;
     uint8_t addr = s->smb_addr >> 1;
     I2CBus *bus = s->smbus;
+    int ret;
 
     SMBUS_DPRINTF("SMBus trans addr=0x%02x prot=0x%02x\n", addr, prot);
     /* Transaction isn't exec if STS_DEV_ERR bit set */
     if ((s->smb_stat & STS_DEV_ERR) != 0)  {
-            goto error;
-        }
+        goto error;
+    }
     switch(prot) {
     case 0x0:
-        smbus_quick_command(bus, addr, read);
-        s->smb_stat |= STS_BYTE_DONE | STS_INTR;
-        break;
+        ret = smbus_quick_command(bus, addr, read);
+        goto done;
     case 0x1:
         if (read) {
-            s->smb_data0 = smbus_receive_byte(bus, addr);
+            ret = smbus_receive_byte(bus, addr);
+            goto data8;
         } else {
-            smbus_send_byte(bus, addr, cmd);
+            ret = smbus_send_byte(bus, addr, cmd);
+            goto done;
         }
-        s->smb_stat |= STS_BYTE_DONE | STS_INTR;
-        break;
     case 0x2:
         if (read) {
-            s->smb_data0 = smbus_read_byte(bus, addr, cmd);
+            ret = smbus_read_byte(bus, addr, cmd);
+            goto data8;
         } else {
-            smbus_write_byte(bus, addr, cmd, s->smb_data0);
+            ret = smbus_write_byte(bus, addr, cmd, s->smb_data0);
+            goto done;
         }
-        s->smb_stat |= STS_BYTE_DONE | STS_INTR;
         break;
     case 0x3:
         if (read) {
-            uint16_t val;
-            val = smbus_read_word(bus, addr, cmd);
-            s->smb_data0 = val;
-            s->smb_data1 = val >> 8;
+            ret = smbus_read_word(bus, addr, cmd);
+            goto data16;
         } else {
-            smbus_write_word(bus, addr, cmd, (s->smb_data1 << 8) | s->smb_data0);
+            ret = smbus_write_word(bus, addr, cmd, (s->smb_data1 << 8) | s->smb_data0);
+            goto done;
         }
-        s->smb_stat |= STS_BYTE_DONE | STS_INTR;
         break;
     case 0x5:
         if (read) {
-            s->smb_data0 = smbus_read_block(bus, addr, cmd, s->smb_data);
+            ret = smbus_read_block(bus, addr, cmd, s->smb_data);
+            goto data8;
         } else {
-            smbus_write_block(bus, addr, cmd, s->smb_data, s->smb_data0);
+            ret = smbus_write_block(bus, addr, cmd, s->smb_data, s->smb_data0);
+            goto done;
         }
-        s->smb_stat |= STS_BYTE_DONE | STS_INTR;
         break;
     default:
         goto error;
     }
+    abort();
+
+data16:
+    if (ret < 0) {
+        goto error;
+    }
+    s->smb_data1 = ret >> 8;
+data8:
+    if (ret < 0) {
+        goto error;
+    }
+    s->smb_data0 = ret;
+done:
+    if (ret < 0) {
+        goto error;
+    }
+    s->smb_stat |= STS_BYTE_DONE | STS_INTR;
     return;
 
-  error:
+error:
     s->smb_stat |= STS_DEV_ERR;
+    return;
+
 }
 
 static void smb_ioport_writeb(void *opaque, hwaddr addr, uint64_t val,
diff --git a/hw/i2c/smbus.c b/hw/i2c/smbus.c
index 3febf3c258..6e27ae8bd2 100644
--- a/hw/i2c/smbus.c
+++ b/hw/i2c/smbus.c
@@ -208,34 +208,44 @@ static int smbus_device_init(I2CSlave *i2c)
 }
 
 /* Master device commands.  */
-void smbus_quick_command(I2CBus *bus, uint8_t addr, int read)
+int smbus_quick_command(I2CBus *bus, uint8_t addr, int read)
 {
-    i2c_start_transfer(bus, addr, read);
+    if (i2c_start_transfer(bus, addr, read)) {
+        return -1;
+    }
     i2c_end_transfer(bus);
+    return 0;
 }
 
-uint8_t smbus_receive_byte(I2CBus *bus, uint8_t addr)
+int smbus_receive_byte(I2CBus *bus, uint8_t addr)
 {
     uint8_t data;
 
-    i2c_start_transfer(bus, addr, 1);
+    if (i2c_start_transfer(bus, addr, 1)) {
+        return -1;
+    }
     data = i2c_recv(bus);
     i2c_nack(bus);
     i2c_end_transfer(bus);
     return data;
 }
 
-void smbus_send_byte(I2CBus *bus, uint8_t addr, uint8_t data)
+int smbus_send_byte(I2CBus *bus, uint8_t addr, uint8_t data)
 {
-    i2c_start_transfer(bus, addr, 0);
+    if (i2c_start_transfer(bus, addr, 0)) {
+        return -1;
+    }
     i2c_send(bus, data);
     i2c_end_transfer(bus);
+    return 0;
 }
 
-uint8_t smbus_read_byte(I2CBus *bus, uint8_t addr, uint8_t command)
+int smbus_read_byte(I2CBus *bus, uint8_t addr, uint8_t command)
 {
     uint8_t data;
-    i2c_start_transfer(bus, addr, 0);
+    if (i2c_start_transfer(bus, addr, 0)) {
+        return -1;
+    }
     i2c_send(bus, command);
     i2c_start_transfer(bus, addr, 1);
     data = i2c_recv(bus);
@@ -244,18 +254,23 @@ uint8_t smbus_read_byte(I2CBus *bus, uint8_t addr, uint8_t command)
     return data;
 }
 
-void smbus_write_byte(I2CBus *bus, uint8_t addr, uint8_t command, uint8_t data)
+int smbus_write_byte(I2CBus *bus, uint8_t addr, uint8_t command, uint8_t data)
 {
-    i2c_start_transfer(bus, addr, 0);
+    if (i2c_start_transfer(bus, addr, 0)) {
+        return -1;
+    }
     i2c_send(bus, command);
     i2c_send(bus, data);
     i2c_end_transfer(bus);
+    return 0;
 }
 
-uint16_t smbus_read_word(I2CBus *bus, uint8_t addr, uint8_t command)
+int smbus_read_word(I2CBus *bus, uint8_t addr, uint8_t command)
 {
     uint16_t data;
-    i2c_start_transfer(bus, addr, 0);
+    if (i2c_start_transfer(bus, addr, 0)) {
+        return -1;
+    }
     i2c_send(bus, command);
     i2c_start_transfer(bus, addr, 1);
     data = i2c_recv(bus);
@@ -265,13 +280,16 @@ uint16_t smbus_read_word(I2CBus *bus, uint8_t addr, uint8_t command)
     return data;
 }
 
-void smbus_write_word(I2CBus *bus, uint8_t addr, uint8_t command, uint16_t data)
+int smbus_write_word(I2CBus *bus, uint8_t addr, uint8_t command, uint16_t data)
 {
-    i2c_start_transfer(bus, addr, 0);
+    if (i2c_start_transfer(bus, addr, 0)) {
+        return -1;
+    }
     i2c_send(bus, command);
     i2c_send(bus, data & 0xff);
     i2c_send(bus, data >> 8);
     i2c_end_transfer(bus);
+    return 0;
 }
 
 int smbus_read_block(I2CBus *bus, uint8_t addr, uint8_t command, uint8_t *data)
@@ -279,33 +297,41 @@ int smbus_read_block(I2CBus *bus, uint8_t addr, uint8_t command, uint8_t *data)
     int len;
     int i;
 
-    i2c_start_transfer(bus, addr, 0);
+    if (i2c_start_transfer(bus, addr, 0)) {
+        return -1;
+    }
     i2c_send(bus, command);
     i2c_start_transfer(bus, addr, 1);
     len = i2c_recv(bus);
-    if (len > 32)
+    if (len > 32) {
         len = 0;
-    for (i = 0; i < len; i++)
+    }
+    for (i = 0; i < len; i++) {
         data[i] = i2c_recv(bus);
+    }
     i2c_nack(bus);
     i2c_end_transfer(bus);
     return len;
 }
 
-void smbus_write_block(I2CBus *bus, uint8_t addr, uint8_t command, uint8_t *data,
-                       int len)
+int smbus_write_block(I2CBus *bus, uint8_t addr, uint8_t command, uint8_t *data,
+                      int len)
 {
     int i;
 
     if (len > 32)
         len = 32;
 
-    i2c_start_transfer(bus, addr, 0);
+    if (i2c_start_transfer(bus, addr, 0)) {
+        return -1;
+    }
     i2c_send(bus, command);
     i2c_send(bus, len);
-    for (i = 0; i < len; i++)
+    for (i = 0; i < len; i++) {
         i2c_send(bus, data[i]);
+    }
     i2c_end_transfer(bus);
+    return 0;
 }
 
 static void smbus_device_class_init(ObjectClass *klass, void *data)
diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index c98df88cd2..9fac589033 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -156,18 +156,21 @@ static void acpi_get_pm_info(AcpiPmInfo *pm)
     } else {
         pm->s3_disabled = false;
     }
+    qobject_decref(o);
     o = object_property_get_qobject(obj, ACPI_PM_PROP_S4_DISABLED, NULL);
     if (o) {
         pm->s4_disabled = qint_get_int(qobject_to_qint(o));
     } else {
         pm->s4_disabled = false;
     }
+    qobject_decref(o);
     o = object_property_get_qobject(obj, ACPI_PM_PROP_S4_VAL, NULL);
     if (o) {
         pm->s4_val = qint_get_int(qobject_to_qint(o));
     } else {
         pm->s4_val = false;
     }
+    qobject_decref(o);
 
     /* Fill in mandatory properties */
     pm->sci_int = object_property_get_int(obj, ACPI_PM_PROP_SCI_INT, NULL);
@@ -973,6 +976,7 @@ static void build_pci_bus_end(PCIBus *bus, void *bus_state)
         }
     }
 
+    qobject_decref(bsel);
     build_free_array(bus_table);
     build_pci_bus_state_cleanup(child);
     g_free(child);
@@ -1362,10 +1366,12 @@ static bool acpi_get_mcfg(AcpiMcfgInfo *mcfg)
         return false;
     }
     mcfg->mcfg_base = qint_get_int(qobject_to_qint(o));
+    qobject_decref(o);
 
     o = object_property_get_qobject(pci_host, PCIE_HOST_MCFG_SIZE, NULL);
     assert(o);
     mcfg->mcfg_size = qint_get_int(qobject_to_qint(o));
+    qobject_decref(o);
     return true;
 }
 
@@ -1410,15 +1416,16 @@ void acpi_build(PcGuestInfo *guest_info, AcpiBuildTables *tables)
     /* ACPI tables pointed to by RSDT */
     acpi_add_table(table_offsets, tables->table_data);
     build_fadt(tables->table_data, tables->linker, &pm, facs, dsdt);
-    acpi_add_table(table_offsets, tables->table_data);
 
+    acpi_add_table(table_offsets, tables->table_data);
     build_ssdt(tables->table_data, tables->linker, &cpu, &pm, &misc, &pci,
                guest_info);
-    acpi_add_table(table_offsets, tables->table_data);
 
-    build_madt(tables->table_data, tables->linker, &cpu, guest_info);
     acpi_add_table(table_offsets, tables->table_data);
+    build_madt(tables->table_data, tables->linker, &cpu, guest_info);
+
     if (misc.has_hpet) {
+        acpi_add_table(table_offsets, tables->table_data);
         build_hpet(tables->table_data, tables->linker);
     }
     if (guest_info->numa_nodes) {
diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c
index ea72502420..eaf3e61994 100644
--- a/hw/i386/pc_piix.c
+++ b/hw/i386/pc_piix.c
@@ -414,6 +414,10 @@ static QEMUMachine pc_i440fx_machine_v2_0 = {
     PC_I440FX_2_0_MACHINE_OPTIONS,
     .name = "pc-i440fx-2.0",
     .init = pc_init_pci_2_0,
+    .compat_props = (GlobalProperty[]) {
+        PC_COMPAT_2_0,
+        { /* end of list */ }
+    },
 };
 
 #define PC_I440FX_1_7_MACHINE_OPTIONS PC_I440FX_MACHINE_OPTIONS
diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c
index 3306f89b9e..9517ec653f 100644
--- a/hw/i386/pc_q35.c
+++ b/hw/i386/pc_q35.c
@@ -327,6 +327,10 @@ static QEMUMachine pc_q35_machine_v2_0 = {
     PC_Q35_2_0_MACHINE_OPTIONS,
     .name = "pc-q35-2.0",
     .init = pc_q35_init_2_0,
+    .compat_props = (GlobalProperty[]) {
+        PC_Q35_COMPAT_2_0,
+        { /* end of list */ }
+    },
 };
 
 #define PC_Q35_1_7_MACHINE_OPTIONS PC_Q35_MACHINE_OPTIONS
diff --git a/hw/intc/apic.c b/hw/intc/apic.c
index 2f40cbad2d..ef19e5515c 100644
--- a/hw/intc/apic.c
+++ b/hw/intc/apic.c
@@ -675,7 +675,7 @@ static uint32_t apic_mem_readl(void *opaque, hwaddr addr)
         val = s->id << 24;
         break;
     case 0x03: /* version */
-        val = 0x11 | ((APIC_LVT_NB - 1) << 16); /* version 0x11 */
+        val = s->version | ((APIC_LVT_NB - 1) << 16);
         break;
     case 0x08:
         apic_sync_vapic(s, SYNC_FROM_VAPIC);
diff --git a/hw/intc/apic_common.c b/hw/intc/apic_common.c
index 7ecce2dcce..71376533ca 100644
--- a/hw/intc/apic_common.c
+++ b/hw/intc/apic_common.c
@@ -380,6 +380,7 @@ static const VMStateDescription vmstate_apic_common = {
 
 static Property apic_properties_common[] = {
     DEFINE_PROP_UINT8("id", APICCommonState, id, -1),
+    DEFINE_PROP_UINT8("version", APICCommonState, version, 0x14),
     DEFINE_PROP_BIT("vapic", APICCommonState, vapic_control, VAPIC_ENABLE_BIT,
                     true),
     DEFINE_PROP_END_OF_LIST(),
diff --git a/hw/intc/i8259.c b/hw/intc/i8259.c
index ec01393e4f..d0b0c52b97 100644
--- a/hw/intc/i8259.c
+++ b/hw/intc/i8259.c
@@ -265,7 +265,8 @@ static void pic_ioport_write(void *opaque, hwaddr addr64,
             s->init4 = val & 1;
             s->single_mode = val & 2;
             if (val & 0x08) {
-                hw_error("level sensitive irq not supported");
+                qemu_log_mask(LOG_UNIMP,
+                              "i8259: level sensitive irq not supported\n");
             }
         } else if (val & 0x08) {
             if (val & 0x04) {
diff --git a/include/hw/i2c/smbus.h b/include/hw/i2c/smbus.h
index 63f0cc4788..544bbc1957 100644
--- a/include/hw/i2c/smbus.h
+++ b/include/hw/i2c/smbus.h
@@ -66,16 +66,16 @@ struct SMBusDevice {
 };
 
 /* Master device commands.  */
-void smbus_quick_command(I2CBus *bus, uint8_t addr, int read);
-uint8_t smbus_receive_byte(I2CBus *bus, uint8_t addr);
-void smbus_send_byte(I2CBus *bus, uint8_t addr, uint8_t data);
-uint8_t smbus_read_byte(I2CBus *bus, uint8_t addr, uint8_t command);
-void smbus_write_byte(I2CBus *bus, uint8_t addr, uint8_t command, uint8_t data);
-uint16_t smbus_read_word(I2CBus *bus, uint8_t addr, uint8_t command);
-void smbus_write_word(I2CBus *bus, uint8_t addr, uint8_t command, uint16_t data);
+int smbus_quick_command(I2CBus *bus, uint8_t addr, int read);
+int smbus_receive_byte(I2CBus *bus, uint8_t addr);
+int smbus_send_byte(I2CBus *bus, uint8_t addr, uint8_t data);
+int smbus_read_byte(I2CBus *bus, uint8_t addr, uint8_t command);
+int smbus_write_byte(I2CBus *bus, uint8_t addr, uint8_t command, uint8_t data);
+int smbus_read_word(I2CBus *bus, uint8_t addr, uint8_t command);
+int smbus_write_word(I2CBus *bus, uint8_t addr, uint8_t command, uint16_t data);
 int smbus_read_block(I2CBus *bus, uint8_t addr, uint8_t command, uint8_t *data);
-void smbus_write_block(I2CBus *bus, uint8_t addr, uint8_t command, uint8_t *data,
-                       int len);
+int smbus_write_block(I2CBus *bus, uint8_t addr, uint8_t command, uint8_t *data,
+                      int len);
 
 void smbus_eeprom_init(I2CBus *smbus, int nb_eeprom,
                        const uint8_t *eeprom_spd, int size);
diff --git a/include/hw/i386/apic_internal.h b/include/hw/i386/apic_internal.h
index 70542a6f43..83e2a42cc1 100644
--- a/include/hw/i386/apic_internal.h
+++ b/include/hw/i386/apic_internal.h
@@ -98,6 +98,7 @@ struct APICCommonState {
     X86CPU *cpu;
     uint32_t apicbase;
     uint8_t id;
+    uint8_t version;
     uint8_t arb_id;
     uint8_t tpr;
     uint32_t spurious_vec;
diff --git a/include/hw/i386/pc.h b/include/hw/i386/pc.h
index 9f26e14bef..32a76876c7 100644
--- a/include/hw/i386/pc.h
+++ b/include/hw/i386/pc.h
@@ -242,8 +242,12 @@ int e820_add_entry(uint64_t, uint64_t, uint32_t);
 int e820_get_num_entries(void);
 bool e820_get_entry(int, uint32_t, uint64_t *, uint64_t *);
 
+#define PC_Q35_COMPAT_2_0 \
+        PC_COMPAT_2_0
+
 #define PC_Q35_COMPAT_1_7 \
         PC_COMPAT_1_7, \
+        PC_Q35_COMPAT_2_0, \
         {\
             .driver   = "hpet",\
             .property = HPET_INTCAP,\
@@ -262,7 +266,15 @@ bool e820_get_entry(int, uint32_t, uint64_t *, uint64_t *);
         PC_COMPAT_1_4, \
         PC_Q35_COMPAT_1_5
 
+#define PC_COMPAT_2_0 \
+        {\
+            .driver   = "apic",\
+            .property = "version",\
+            .value    = stringify(0x11),\
+        }
+
 #define PC_COMPAT_1_7 \
+        PC_COMPAT_2_0, \
         {\
             .driver   = TYPE_USB_DEVICE,\
             .property = "msos-desc",\