rpms
/
qemu
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add "qxl: call dpy_gfx_resize when entering vga mode" patch, fixing 

an often reported use after free crash (rhbz#873845)
- Replace "wip: hw/qxl: inject interrupts in any state" patch with the
  official upstream fix
- Add 5 other spice/qxl crash/bug fixes cherry-picked from upstream
This commit is contained in:
Hans de Goede 2013-01-21 16:09:24 +01:00
parent 99c373db7f
commit 83889a9bd2
10 changed files with 350 additions and 269 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

241
0001-seccomp-adding-new-syscalls-bugzilla-855162.patch
View File

@ -1,241 +0,0 @@
From fe512d65e0b752dfa7af6cfb374a0820d35040d0 Mon Sep 17 00:00:00 2001
From: Eduardo Otubo <otubo@linux.vnet.ibm.com>
Date: Thu, 29 Nov 2012 13:56:41 -0200
Subject: [PATCH] seccomp: adding new syscalls (bugzilla 855162)
According to the bug 855162[0] - there's the need of adding new syscalls
to the whitelist when using Qemu with Libvirt.
[0] - https://bugzilla.redhat.com/show_bug.cgi?id=855162
Reported-by: Paul Moore <pmoore@redhat.com>
Tested-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
Signed-off-by: Corey Bryant <coreyb@linux.vnet.ibm.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
---
qemu-seccomp.c | 156 ++++++++++++++++++++++++++++++++++++++++++++++++++-------
1 file changed, 139 insertions(+), 17 deletions(-)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 64329a3..2a71d6f 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -26,8 +26,12 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
{ SCMP_SYS(timer_gettime), 254 },
{ SCMP_SYS(futex), 253 },
{ SCMP_SYS(select), 252 },
+#if defined(__x86_64__)
{ SCMP_SYS(recvfrom), 251 },
{ SCMP_SYS(sendto), 250 },
+#elif defined(__i386__)
+ { SCMP_SYS(socketcall), 250 },
+#endif
{ SCMP_SYS(read), 249 },
{ SCMP_SYS(brk), 248 },
{ SCMP_SYS(clone), 247 },
@@ -36,15 +40,30 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
{ SCMP_SYS(execve), 245 },
{ SCMP_SYS(open), 245 },
{ SCMP_SYS(ioctl), 245 },
+#if defined(__x86_64__)
+ { SCMP_SYS(socket), 245 },
+ { SCMP_SYS(setsockopt), 245 },
{ SCMP_SYS(recvmsg), 245 },
{ SCMP_SYS(sendmsg), 245 },
{ SCMP_SYS(accept), 245 },
{ SCMP_SYS(connect), 245 },
+ { SCMP_SYS(socketpair), 245 },
+ { SCMP_SYS(bind), 245 },
+ { SCMP_SYS(listen), 245 },
+ { SCMP_SYS(semget), 245 },
+#elif defined(__i386__)
+ { SCMP_SYS(ipc), 245 },
+#endif
{ SCMP_SYS(gettimeofday), 245 },
{ SCMP_SYS(readlink), 245 },
{ SCMP_SYS(access), 245 },
{ SCMP_SYS(prctl), 245 },
{ SCMP_SYS(signalfd), 245 },
+ { SCMP_SYS(getrlimit), 245 },
+ { SCMP_SYS(set_tid_address), 245 },
+ { SCMP_SYS(statfs), 245 },
+ { SCMP_SYS(unlink), 245 },
+ { SCMP_SYS(wait4), 245 },
#if defined(__i386__)
{ SCMP_SYS(fcntl64), 245 },
{ SCMP_SYS(fstat64), 245 },
@@ -56,30 +75,33 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
{ SCMP_SYS(sigreturn), 245 },
{ SCMP_SYS(_newselect), 245 },
{ SCMP_SYS(_llseek), 245 },
- { SCMP_SYS(mmap2), 245},
+ { SCMP_SYS(mmap2), 245 },
{ SCMP_SYS(sigprocmask), 245 },
-#elif defined(__x86_64__)
- { SCMP_SYS(sched_getparam), 245},
- { SCMP_SYS(sched_getscheduler), 245},
- { SCMP_SYS(fstat), 245},
- { SCMP_SYS(clock_getres), 245},
- { SCMP_SYS(sched_get_priority_min), 245},
- { SCMP_SYS(sched_get_priority_max), 245},
- { SCMP_SYS(stat), 245},
- { SCMP_SYS(socket), 245},
- { SCMP_SYS(setsockopt), 245},
- { SCMP_SYS(uname), 245},
- { SCMP_SYS(semget), 245},
#endif
+ { SCMP_SYS(sched_getparam), 245 },
+ { SCMP_SYS(sched_getscheduler), 245 },
+ { SCMP_SYS(fstat), 245 },
+ { SCMP_SYS(clock_getres), 245 },
+ { SCMP_SYS(sched_get_priority_min), 245 },
+ { SCMP_SYS(sched_get_priority_max), 245 },
+ { SCMP_SYS(stat), 245 },
+ { SCMP_SYS(uname), 245 },
{ SCMP_SYS(eventfd2), 245 },
{ SCMP_SYS(dup), 245 },
+ { SCMP_SYS(dup2), 245 },
+ { SCMP_SYS(dup3), 245 },
{ SCMP_SYS(gettid), 245 },
+ { SCMP_SYS(getgid), 245 },
+ { SCMP_SYS(getegid), 245 },
+ { SCMP_SYS(getuid), 245 },
+ { SCMP_SYS(geteuid), 245 },
{ SCMP_SYS(timer_create), 245 },
{ SCMP_SYS(exit), 245 },
{ SCMP_SYS(clock_gettime), 245 },
{ SCMP_SYS(time), 245 },
{ SCMP_SYS(restart_syscall), 245 },
{ SCMP_SYS(pwrite64), 245 },
+ { SCMP_SYS(nanosleep), 245 },
{ SCMP_SYS(chown), 245 },
{ SCMP_SYS(openat), 245 },
{ SCMP_SYS(getdents), 245 },
@@ -93,8 +115,6 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
{ SCMP_SYS(lseek), 245 },
{ SCMP_SYS(pselect6), 245 },
{ SCMP_SYS(fork), 245 },
- { SCMP_SYS(bind), 245 },
- { SCMP_SYS(listen), 245 },
{ SCMP_SYS(eventfd), 245 },
{ SCMP_SYS(rt_sigprocmask), 245 },
{ SCMP_SYS(write), 244 },
@@ -104,10 +124,112 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
{ SCMP_SYS(pipe2), 242 },
{ SCMP_SYS(munmap), 242 },
{ SCMP_SYS(mremap), 242 },
+ { SCMP_SYS(fdatasync), 242 },
+ { SCMP_SYS(close), 242 },
+ { SCMP_SYS(rt_sigpending), 242 },
+ { SCMP_SYS(rt_sigtimedwait), 242 },
+ { SCMP_SYS(readv), 242 },
+ { SCMP_SYS(writev), 242 },
+ { SCMP_SYS(preadv), 242 },
+ { SCMP_SYS(pwritev), 242 },
+ { SCMP_SYS(setrlimit), 242 },
+ { SCMP_SYS(ftruncate), 242 },
+ { SCMP_SYS(lstat), 242 },
+ { SCMP_SYS(pipe), 242 },
+ { SCMP_SYS(umask), 242 },
+ { SCMP_SYS(chdir), 242 },
+ { SCMP_SYS(setitimer), 242 },
+ { SCMP_SYS(setsid), 242 },
+ { SCMP_SYS(poll), 242 },
+ { SCMP_SYS(epoll_create), 242 },
+ { SCMP_SYS(epoll_ctl), 242 },
+ { SCMP_SYS(epoll_wait), 242 },
+#if defined(__i386__)
+ { SCMP_SYS(waitpid), 242 },
+#elif defined(__x86_64__)
{ SCMP_SYS(getsockname), 242 },
{ SCMP_SYS(getpeername), 242 },
- { SCMP_SYS(fdatasync), 242 },
- { SCMP_SYS(close), 242 }
+ { SCMP_SYS(accept4), 242 },
+ { SCMP_SYS(newfstatat), 241 },
+ { SCMP_SYS(shutdown), 241 },
+ { SCMP_SYS(getsockopt), 241 },
+ { SCMP_SYS(semctl), 241 },
+ { SCMP_SYS(semop), 241 },
+ { SCMP_SYS(semtimedop), 241 },
+ { SCMP_SYS(epoll_ctl_old), 241 },
+ { SCMP_SYS(epoll_wait_old), 241 },
+#endif
+ { SCMP_SYS(epoll_pwait), 241 },
+ { SCMP_SYS(epoll_create1), 241 },
+ { SCMP_SYS(ppoll), 241 },
+ { SCMP_SYS(creat), 241 },
+ { SCMP_SYS(link), 241 },
+ { SCMP_SYS(getpid), 241 },
+ { SCMP_SYS(getppid), 241 },
+ { SCMP_SYS(getpgrp), 241 },
+ { SCMP_SYS(getpgid), 241 },
+ { SCMP_SYS(getsid), 241 },
+ { SCMP_SYS(getdents64), 241 },
+ { SCMP_SYS(getresuid), 241 },
+ { SCMP_SYS(getresgid), 241 },
+ { SCMP_SYS(getgroups), 241 },
+#if defined(__i386__)
+ { SCMP_SYS(getresuid32), 241 },
+ { SCMP_SYS(getresgid32), 241 },
+ { SCMP_SYS(getgroups32), 241 },
+ { SCMP_SYS(signal), 241 },
+ { SCMP_SYS(sigaction), 241 },
+ { SCMP_SYS(sigsuspend), 241 },
+ { SCMP_SYS(sigpending), 241 },
+ { SCMP_SYS(truncate64), 241 },
+ { SCMP_SYS(ftruncate64), 241 },
+ { SCMP_SYS(fchown32), 241 },
+ { SCMP_SYS(chown32), 241 },
+ { SCMP_SYS(lchown32), 241 },
+ { SCMP_SYS(statfs64), 241 },
+ { SCMP_SYS(fstatfs64), 241 },
+ { SCMP_SYS(fstatat64), 241 },
+ { SCMP_SYS(lstat64), 241 },
+ { SCMP_SYS(sendfile64), 241 },
+ { SCMP_SYS(ugetrlimit), 241 },
+#endif
+ { SCMP_SYS(alarm), 241 },
+ { SCMP_SYS(rt_sigsuspend), 241 },
+ { SCMP_SYS(rt_sigqueueinfo), 241 },
+ { SCMP_SYS(rt_tgsigqueueinfo), 241 },
+ { SCMP_SYS(sigaltstack), 241 },
+ { SCMP_SYS(signalfd4), 241 },
+ { SCMP_SYS(truncate), 241 },
+ { SCMP_SYS(fchown), 241 },
+ { SCMP_SYS(lchown), 241 },
+ { SCMP_SYS(fchownat), 241 },
+ { SCMP_SYS(fstatfs), 241 },
+ { SCMP_SYS(sendfile), 241 },
+ { SCMP_SYS(getitimer), 241 },
+ { SCMP_SYS(syncfs), 241 },
+ { SCMP_SYS(fsync), 241 },
+ { SCMP_SYS(fchdir), 241 },
+ { SCMP_SYS(flock), 241 },
+ { SCMP_SYS(msync), 241 },
+ { SCMP_SYS(sched_setparam), 241 },
+ { SCMP_SYS(sched_setscheduler), 241 },
+ { SCMP_SYS(sched_yield), 241 },
+ { SCMP_SYS(sched_rr_get_interval), 241 },
+ { SCMP_SYS(sched_setaffinity), 241 },
+ { SCMP_SYS(sched_getaffinity), 241 },
+ { SCMP_SYS(readahead), 241 },
+ { SCMP_SYS(timer_getoverrun), 241 },
+ { SCMP_SYS(unlinkat), 241 },
+ { SCMP_SYS(readlinkat), 241 },
+ { SCMP_SYS(faccessat), 241 },
+ { SCMP_SYS(get_robust_list), 241 },
+ { SCMP_SYS(splice), 241 },
+ { SCMP_SYS(vmsplice), 241 },
+ { SCMP_SYS(getcpu), 241 },
+ { SCMP_SYS(sendmmsg), 241 },
+ { SCMP_SYS(recvmmsg), 241 },
+ { SCMP_SYS(prlimit64), 241 },
+ { SCMP_SYS(waitid), 241 }
};
int seccomp_start(void)
--
1.8.0.2

35
0515-hw-qxl-exit-on-failure-to-register-qxl-interface.patch Normal file
View File

@ -0,0 +1,35 @@
From 58891f4a215336182677e97c94198ba8cced19cd Mon Sep 17 00:00:00 2001
From: Alon Levy <alevy@redhat.com>
Date: Wed, 3 Oct 2012 20:13:58 +0200
Subject: [PATCH 515/522] hw/qxl: exit on failure to register qxl interface
This prevents a segfault later on when the device reset handler
tries to access a NULL ssd.worker since interface_attach_worker has
not been called.
Signed-off-by: Alon Levy <alevy@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/qxl.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/hw/qxl.c b/hw/qxl.c
index 8d33745..db6440e 100644
--- a/hw/qxl.c
+++ b/hw/qxl.c
@@ -2035,7 +2035,11 @@ static int qxl_init_common(PCIQXLDevice *qxl)
qxl->ssd.qxl.base.sif = &qxl_interface.base;
qxl->ssd.qxl.id = qxl->id;
- qemu_spice_add_interface(&qxl->ssd.qxl.base);
+ if (qemu_spice_add_interface(&qxl->ssd.qxl.base) != 0) {
+ error_report("qxl interface %d.%d not supported by spice-server\n",
+ SPICE_INTERFACE_QXL_MAJOR, SPICE_INTERFACE_QXL_MINOR);
+ return -1;
+ }
qemu_add_vm_change_state_handler(qxl_vm_change_state_handler, qxl);
init_pipe_signaling(qxl);
--
1.8.0.2

29
0516-hw-qxl-fix-condition-for-exiting-guest_bug.patch Normal file
View File

@ -0,0 +1,29 @@
From 8ceaa64ed2f20a7af865eb9bac0bc6e54f5f7eea Mon Sep 17 00:00:00 2001
From: Alon Levy <alevy@redhat.com>
Date: Tue, 2 Oct 2012 11:39:14 +0200
Subject: [PATCH 516/522] hw/qxl: fix condition for exiting guest_bug
Reported and suggested by Paolo Bonzini, thanks.
Signed-off-by: Alon Levy <alevy@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/qxl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/qxl.c b/hw/qxl.c
index db6440e..445705e 100644
--- a/hw/qxl.c
+++ b/hw/qxl.c
@@ -1461,7 +1461,7 @@ static void ioport_write(void *opaque, target_phys_addr_t addr,
qxl_async_io async = QXL_SYNC;
uint32_t orig_io_port = io_port;
- if (d->guest_bug && !io_port == QXL_IO_RESET) {
+ if (d->guest_bug && io_port != QXL_IO_RESET) {
return;
}
--
1.8.0.2

50
0517-hw-qxl-qxl_send_events-nop-if-stopped.patch Normal file
View File

@ -0,0 +1,50 @@
From 79868eccfd65a7926d7beff42b1094a000b10c01 Mon Sep 17 00:00:00 2001
From: Alon Levy <alevy@redhat.com>
Date: Thu, 1 Nov 2012 14:56:00 +0200
Subject: [PATCH 517/522] hw/qxl: qxl_send_events: nop if stopped
Added a trace point for easy logging.
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=870972
Signed-off-by: Alon Levy <alevy@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/qxl.c | 8 +++++++-
trace-events | 1 +
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/hw/qxl.c b/hw/qxl.c
index 445705e..8111bb9 100644
--- a/hw/qxl.c
+++ b/hw/qxl.c
@@ -1714,7 +1714,13 @@ static void qxl_send_events(PCIQXLDevice *d, uint32_t events)
uint32_t le_events = cpu_to_le32(events);
trace_qxl_send_events(d->id, events);
- assert(qemu_spice_display_is_running(&d->ssd));
+ if (!qemu_spice_display_is_running(&d->ssd)) {
+ /* spice-server tracks guest running state and should not do this */
+ fprintf(stderr, "%s: spice-server bug: guest stopped, ignoring\n",
+ __func__);
+ trace_qxl_send_events_vm_stopped(d->id, events);
+ return;
+ }
old_pending = __sync_fetch_and_or(&d->ram->int_pending, le_events);
if ((old_pending & le_events) == le_events) {
return;
diff --git a/trace-events b/trace-events
index f5b5097..9d39d8d 100644
--- a/trace-events
+++ b/trace-events
@@ -978,6 +978,7 @@ qxl_spice_update_area(int qid, uint32_t surface_id, uint32_t left, uint32_t righ
qxl_spice_update_area_rest(int qid, uint32_t num_dirty_rects, uint32_t clear_dirty_region) "%d #d=%d clear=%d"
qxl_surfaces_dirty(int qid, int surface, int offset, int size) "%d surface=%d offset=%d size=%d"
qxl_send_events(int qid, uint32_t events) "%d %d"
+qxl_send_events_vm_stopped(int qid, uint32_t events) "%d %d"
qxl_set_guest_bug(int qid) "%d"
qxl_interrupt_client_monitors_config(int qid, int num_heads, void *heads) "%d %d %p"
qxl_client_monitors_config_unsupported_by_guest(int qid, uint32_t int_mask, void *client_monitors_config) "%d %X %p"
--
1.8.0.2

37
0518-qxl-call-dpy_gfx_resize-when-entering-vga-mode.patch Normal file
View File

@ -0,0 +1,37 @@
From acbfa56143a6c8a4e0ceb2546612ae4caea907d3 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 30 Oct 2012 14:55:12 +0100
Subject: [PATCH 518/564] qxl: call dpy_gfx_resize when entering vga mode
When entering vga mode the display size likely changes,
notify all displaychangelisteners about this.
Probably went unnoticed for a while as one if the first
things the guest does after leaving qxl native mode and
entering qxl vga mode is to set the vga video mode. But
there is still a small window where qemu can operate on
stale data, leading to crashes now and then.
https://bugzilla.redhat.com/show_bug.cgi?id=865767
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/qxl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/qxl.c b/hw/qxl.c
index 8111bb9..3583d98 100644
--- a/hw/qxl.c
+++ b/hw/qxl.c
@@ -1084,7 +1084,7 @@ static void qxl_enter_vga_mode(PCIQXLDevice *d)
trace_qxl_enter_vga_mode(d->id);
qemu_spice_create_host_primary(&d->ssd);
d->mode = QXL_MODE_VGA;
- memset(&d->ssd.dirty, 0, sizeof(d->ssd.dirty));
+ dpy_resize(d->ssd.ds);
vga_dirty_log_start(&d->vga);
}
--
1.8.1

67
0519-spice-fix-initialization-order.patch Normal file
View File

@ -0,0 +1,67 @@
From d106523eff9b2f7e0b201c04a825c1fbcef1e495 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 2 Nov 2012 09:37:27 +0100
Subject: [PATCH 519/564] spice: fix initialization order
Register displaychangelistener last, after spice is fully initialized,
otherwise we may hit NULL pointer dereferences when qemu starts calling
our callbacks.
Commit e250d949feb1334828f27f0d145c35f29c4b7639 triggers this bug.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/qxl.c | 10 ++++++++--
ui/spice-display.c | 2 +-
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/hw/qxl.c b/hw/qxl.c
index 3583d98..525763b 100644
--- a/hw/qxl.c
+++ b/hw/qxl.c
@@ -2061,6 +2061,7 @@ static int qxl_init_primary(PCIDevice *dev)
PCIQXLDevice *qxl = DO_UPCAST(PCIQXLDevice, pci, dev);
VGACommonState *vga = &qxl->vga;
PortioList *qxl_vga_port_list = g_new(PortioList, 1);
+ int rc;
qxl->id = 0;
qxl_init_ramsize(qxl);
@@ -2075,9 +2076,14 @@ static int qxl_init_primary(PCIDevice *dev)
qemu_spice_display_init_common(&qxl->ssd, vga->ds);
qxl0 = qxl;
- register_displaychangelistener(vga->ds, &display_listener);
- return qxl_init_common(qxl);
+ rc = qxl_init_common(qxl);
+ if (rc != 0) {
+ return rc;
+ }
+
+ register_displaychangelistener(vga->ds, &display_listener);
+ return rc;
}
static int qxl_init_secondary(PCIDevice *dev)
diff --git a/ui/spice-display.c b/ui/spice-display.c
index d062765..4c24c32 100644
--- a/ui/spice-display.c
+++ b/ui/spice-display.c
@@ -617,7 +617,6 @@ void qemu_spice_display_init(DisplayState *ds)
{
assert(sdpy.ds == NULL);
qemu_spice_display_init_common(&sdpy, ds);
- register_displaychangelistener(ds, &display_listener);
sdpy.qxl.base.sif = &dpy_interface.base;
qemu_spice_add_interface(&sdpy.qxl.base);
@@ -626,4 +625,5 @@ void qemu_spice_display_init(DisplayState *ds)
qemu_add_vm_change_state_handler(qemu_spice_vm_change_state_handler, &sdpy);
qemu_spice_create_host_memslot(&sdpy);
qemu_spice_create_host_primary(&sdpy);
+ register_displaychangelistener(ds, &display_listener);
}
--
1.8.1

69
0520-spice-add-new-spice-server-callbacks-to-ui-spice-dis.patch Normal file
View File

@ -0,0 +1,69 @@
From e4e6427ffc8a25e6eafdbf1a284319721891fb77 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed, 21 Nov 2012 14:41:48 +0100
Subject: [PATCH 520/564] spice: add new spice-server callbacks to
ui/spice-display.c
Otherwise qemu crashes with non-qxl graphics cards.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
ui/spice-display.c | 35 +++++++++++++++++++++++++++++++++++
1 file changed, 35 insertions(+)
diff --git a/ui/spice-display.c b/ui/spice-display.c
index 4c24c32..85c055e 100644
--- a/ui/spice-display.c
+++ b/ui/spice-display.c
@@ -569,6 +569,37 @@ static int interface_flush_resources(QXLInstance *sin)
return 0;
}
+static void interface_update_area_complete(QXLInstance *sin,
+ uint32_t surface_id,
+ QXLRect *dirty, uint32_t num_updated_rects)
+{
+ /* should never be called, used in qxl native mode only */
+ fprintf(stderr, "%s: abort()\n", __func__);
+ abort();
+}
+
+/* called from spice server thread context only */
+static void interface_async_complete(QXLInstance *sin, uint64_t cookie_token)
+{
+ /* should never be called, used in qxl native mode only */
+ fprintf(stderr, "%s: abort()\n", __func__);
+ abort();
+}
+
+static void interface_set_client_capabilities(QXLInstance *sin,
+ uint8_t client_present,
+ uint8_t caps[58])
+{
+ dprint(3, "%s:\n", __func__);
+}
+
+static int interface_client_monitors_config(QXLInstance *sin,
+ VDAgentMonitorsConfig *monitors_config)
+{
+ dprint(3, "%s:\n", __func__);
+ return 0; /* == not supported by guest */
+}
+
static const QXLInterface dpy_interface = {
.base.type = SPICE_INTERFACE_QXL,
.base.description = "qemu simple display",
@@ -588,6 +619,10 @@ static const QXLInterface dpy_interface = {
.req_cursor_notification = interface_req_cursor_notification,
.notify_update = interface_notify_update,
.flush_resources = interface_flush_resources,
+ .async_complete = interface_async_complete,
+ .update_area_complete = interface_update_area_complete,
+ .set_client_capabilities = interface_set_client_capabilities,
+ .client_monitors_config = interface_client_monitors_config,
};
static SimpleSpiceDisplay sdpy;
--
1.8.1

41
0521-qxl-save-qemu_create_displaysurface_from-result.patch Normal file
View File

@ -0,0 +1,41 @@
From 39a4efbef72744cb09151954091710400c31f18d Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 10 Dec 2012 07:41:07 +0100
Subject: [PATCH 521/564] qxl: save qemu_create_displaysurface_from result
Spotted by Coverity.
https://bugzilla.redhat.com/show_bug.cgi?id=885644
Cc: qemu-stable@nongnu.org
Reported-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/qxl-render.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/hw/qxl-render.c b/hw/qxl-render.c
index b66c168..e7d41ec 100644
--- a/hw/qxl-render.c
+++ b/hw/qxl-render.c
@@ -113,11 +113,12 @@ static void qxl_render_update_area_unlocked(PCIQXLDevice *qxl)
qxl->guest_primary.bits_pp);
if (qxl->guest_primary.qxl_stride > 0) {
qemu_free_displaysurface(vga->ds);
- qemu_create_displaysurface_from(qxl->guest_primary.surface.width,
- qxl->guest_primary.surface.height,
- qxl->guest_primary.bits_pp,
- qxl->guest_primary.abs_stride,
- qxl->guest_primary.data);
+ vga->ds->surface = qemu_create_displaysurface_from
+ (qxl->guest_primary.surface.width,
+ qxl->guest_primary.surface.height,
+ qxl->guest_primary.bits_pp,
+ qxl->guest_primary.abs_stride,
+ qxl->guest_primary.data);
} else {
qemu_resize_displaysurface(vga->ds,
qxl->guest_primary.surface.width,
--
1.8.1

24
0705-wip-hw-qxl-inject-interrupts-in-any-state.patch
View File

@ -1,24 +0,0 @@
From 605d30a4a9548e27d65fa90faa29b942df097e1e Mon Sep 17 00:00:00 2001
From: Alon Levy <alevy@redhat.com>
Date: Tue, 30 Oct 2012 18:00:33 +0200
Subject: [PATCH] wip: hw/qxl: inject interrupts in any state
---
hw/qxl.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/hw/qxl.c b/hw/qxl.c
index 8d33745..1d8ffae 100644
--- a/hw/qxl.c
+++ b/hw/qxl.c
@@ -1714,7 +1714,6 @@ static void qxl_send_events(PCIQXLDevice *d, uint32_t events)
uint32_t le_events = cpu_to_le32(events);
trace_qxl_send_events(d->id, events);
- assert(qemu_spice_display_is_running(&d->ssd));
old_pending = __sync_fetch_and_or(&d->ram->int_pending, le_events);
if ((old_pending & le_events) == le_events) {
return;
--
1.8.0.2

26
qemu.spec
View File

@ -109,7 +109,7 @@
Summary: QEMU is a FAST! processor emulator
Name: qemu
Version: 1.2.2
Release: 3%{?dist}
Release: 4%{?dist}
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 2
License: GPLv2+ and LGPLv2+ and BSD
@ -468,6 +468,13 @@ Patch0511: 0511-hw-qxl-support-client-monitor-configuration-via-devi.patch
Patch0512: 0512-qxl-update_area_io-cleanup-invalid-parameters-handli.patch
Patch0513: 0513-qxl-fix-range-check-for-rev3-io-commands.patch
Patch0514: 0514-qxl-vnc-register-a-vm-state-handler-for-dummy-spice_.patch
Patch0515: 0515-hw-qxl-exit-on-failure-to-register-qxl-interface.patch
Patch0516: 0516-hw-qxl-fix-condition-for-exiting-guest_bug.patch
Patch0517: 0517-hw-qxl-qxl_send_events-nop-if-stopped.patch
Patch0518: 0518-qxl-call-dpy_gfx_resize-when-entering-vga-mode.patch
Patch0519: 0519-spice-fix-initialization-order.patch
Patch0520: 0520-spice-add-new-spice-server-callbacks-to-ui-spice-dis.patch
Patch0521: 0521-qxl-save-qemu_create_displaysurface_from-result.patch
# usb-redir live-migration and misc bits from upstream master
Patch0601: 0601-usb-redir-Convert-to-new-libusbredirparser-0.5-API.patch
@ -516,8 +523,6 @@ Patch0702: 0702-configure-Add-disable-kvm-options.patch
Patch0703: 0703-arm_boot-Change-initrd-load-address-to-halfway-throu.patch
# Don't use reserved word 'function' in systemtap files (bz 870972)
Patch0704: 0704-dtrace-backend-add-function-to-reserved-words.patch
# Drop assertion that was triggering when pausing guests w/ qxl (bz 870972)
Patch0705: 0705-wip-hw-qxl-inject-interrupts-in-any-state.patch
# libcacard build fixes
Patch0706: 0706-libcacard-fix-missing-symbols-in-libcacard.so.patch
Patch0707: 0707-configure-move-vscclient-binary-under-libcacard.patch
@ -1280,6 +1285,13 @@ CAC emulation development files.
%patch0512 -p1
%patch0513 -p1
%patch0514 -p1
%patch0515 -p1
%patch0516 -p1
%patch0517 -p1
%patch0518 -p1
%patch0519 -p1
%patch0520 -p1
%patch0521 -p1
# usb-redir live-migration and misc bits from upstream master
%patch0601 -p1
@ -1323,7 +1335,6 @@ CAC emulation development files.
%patch0702 -p1
%patch0703 -p1
%patch0704 -p1
%patch0705 -p1
%patch0706 -p1
%patch0707 -p1
%patch0708 -p1
@ -1937,6 +1948,13 @@ getent passwd qemu >/dev/null || \
%{_libdir}/pkgconfig/libcacard.pc
%changelog
* Mon Jan 21 2013 Hans de Goede <hdegoede@redhat.com> - 2:1.2.2-4
- Add "qxl: call dpy_gfx_resize when entering vga mode" patch, fixing
an often reported use after free crash (rhbz#873845)
- Replace "wip: hw/qxl: inject interrupts in any state" patch with the
official upstream fix
- Add 5 other spice/qxl crash/bug fixes cherry-picked from upstream
* Fri Jan 18 2013 Hans de Goede <hdegoede@redhat.com> - 2:1.2.2-3
- Fix a crash when using -vga qxl without -spice (bz #892075)