Add "qxl: call dpy_gfx_resize when entering vga mode" patch, fixing
an often reported use after free crash (rhbz#873845) - Replace "wip: hw/qxl: inject interrupts in any state" patch with the official upstream fix - Add 5 other spice/qxl crash/bug fixes cherry-picked from upstream
This commit is contained in:
parent
99c373db7f
commit
83889a9bd2
|
@ -1,241 +0,0 @@
|
|||
From fe512d65e0b752dfa7af6cfb374a0820d35040d0 Mon Sep 17 00:00:00 2001
|
||||
From: Eduardo Otubo <otubo@linux.vnet.ibm.com>
|
||||
Date: Thu, 29 Nov 2012 13:56:41 -0200
|
||||
Subject: [PATCH] seccomp: adding new syscalls (bugzilla 855162)
|
||||
|
||||
According to the bug 855162[0] - there's the need of adding new syscalls
|
||||
to the whitelist when using Qemu with Libvirt.
|
||||
|
||||
[0] - https://bugzilla.redhat.com/show_bug.cgi?id=855162
|
||||
|
||||
Reported-by: Paul Moore <pmoore@redhat.com>
|
||||
Tested-by: Paul Moore <pmoore@redhat.com>
|
||||
Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
|
||||
Signed-off-by: Corey Bryant <coreyb@linux.vnet.ibm.com>
|
||||
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
|
||||
---
|
||||
qemu-seccomp.c | 156 ++++++++++++++++++++++++++++++++++++++++++++++++++-------
|
||||
1 file changed, 139 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
|
||||
index 64329a3..2a71d6f 100644
|
||||
--- a/qemu-seccomp.c
|
||||
+++ b/qemu-seccomp.c
|
||||
@@ -26,8 +26,12 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
|
||||
{ SCMP_SYS(timer_gettime), 254 },
|
||||
{ SCMP_SYS(futex), 253 },
|
||||
{ SCMP_SYS(select), 252 },
|
||||
+#if defined(__x86_64__)
|
||||
{ SCMP_SYS(recvfrom), 251 },
|
||||
{ SCMP_SYS(sendto), 250 },
|
||||
+#elif defined(__i386__)
|
||||
+ { SCMP_SYS(socketcall), 250 },
|
||||
+#endif
|
||||
{ SCMP_SYS(read), 249 },
|
||||
{ SCMP_SYS(brk), 248 },
|
||||
{ SCMP_SYS(clone), 247 },
|
||||
@@ -36,15 +40,30 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
|
||||
{ SCMP_SYS(execve), 245 },
|
||||
{ SCMP_SYS(open), 245 },
|
||||
{ SCMP_SYS(ioctl), 245 },
|
||||
+#if defined(__x86_64__)
|
||||
+ { SCMP_SYS(socket), 245 },
|
||||
+ { SCMP_SYS(setsockopt), 245 },
|
||||
{ SCMP_SYS(recvmsg), 245 },
|
||||
{ SCMP_SYS(sendmsg), 245 },
|
||||
{ SCMP_SYS(accept), 245 },
|
||||
{ SCMP_SYS(connect), 245 },
|
||||
+ { SCMP_SYS(socketpair), 245 },
|
||||
+ { SCMP_SYS(bind), 245 },
|
||||
+ { SCMP_SYS(listen), 245 },
|
||||
+ { SCMP_SYS(semget), 245 },
|
||||
+#elif defined(__i386__)
|
||||
+ { SCMP_SYS(ipc), 245 },
|
||||
+#endif
|
||||
{ SCMP_SYS(gettimeofday), 245 },
|
||||
{ SCMP_SYS(readlink), 245 },
|
||||
{ SCMP_SYS(access), 245 },
|
||||
{ SCMP_SYS(prctl), 245 },
|
||||
{ SCMP_SYS(signalfd), 245 },
|
||||
+ { SCMP_SYS(getrlimit), 245 },
|
||||
+ { SCMP_SYS(set_tid_address), 245 },
|
||||
+ { SCMP_SYS(statfs), 245 },
|
||||
+ { SCMP_SYS(unlink), 245 },
|
||||
+ { SCMP_SYS(wait4), 245 },
|
||||
#if defined(__i386__)
|
||||
{ SCMP_SYS(fcntl64), 245 },
|
||||
{ SCMP_SYS(fstat64), 245 },
|
||||
@@ -56,30 +75,33 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
|
||||
{ SCMP_SYS(sigreturn), 245 },
|
||||
{ SCMP_SYS(_newselect), 245 },
|
||||
{ SCMP_SYS(_llseek), 245 },
|
||||
- { SCMP_SYS(mmap2), 245},
|
||||
+ { SCMP_SYS(mmap2), 245 },
|
||||
{ SCMP_SYS(sigprocmask), 245 },
|
||||
-#elif defined(__x86_64__)
|
||||
- { SCMP_SYS(sched_getparam), 245},
|
||||
- { SCMP_SYS(sched_getscheduler), 245},
|
||||
- { SCMP_SYS(fstat), 245},
|
||||
- { SCMP_SYS(clock_getres), 245},
|
||||
- { SCMP_SYS(sched_get_priority_min), 245},
|
||||
- { SCMP_SYS(sched_get_priority_max), 245},
|
||||
- { SCMP_SYS(stat), 245},
|
||||
- { SCMP_SYS(socket), 245},
|
||||
- { SCMP_SYS(setsockopt), 245},
|
||||
- { SCMP_SYS(uname), 245},
|
||||
- { SCMP_SYS(semget), 245},
|
||||
#endif
|
||||
+ { SCMP_SYS(sched_getparam), 245 },
|
||||
+ { SCMP_SYS(sched_getscheduler), 245 },
|
||||
+ { SCMP_SYS(fstat), 245 },
|
||||
+ { SCMP_SYS(clock_getres), 245 },
|
||||
+ { SCMP_SYS(sched_get_priority_min), 245 },
|
||||
+ { SCMP_SYS(sched_get_priority_max), 245 },
|
||||
+ { SCMP_SYS(stat), 245 },
|
||||
+ { SCMP_SYS(uname), 245 },
|
||||
{ SCMP_SYS(eventfd2), 245 },
|
||||
{ SCMP_SYS(dup), 245 },
|
||||
+ { SCMP_SYS(dup2), 245 },
|
||||
+ { SCMP_SYS(dup3), 245 },
|
||||
{ SCMP_SYS(gettid), 245 },
|
||||
+ { SCMP_SYS(getgid), 245 },
|
||||
+ { SCMP_SYS(getegid), 245 },
|
||||
+ { SCMP_SYS(getuid), 245 },
|
||||
+ { SCMP_SYS(geteuid), 245 },
|
||||
{ SCMP_SYS(timer_create), 245 },
|
||||
{ SCMP_SYS(exit), 245 },
|
||||
{ SCMP_SYS(clock_gettime), 245 },
|
||||
{ SCMP_SYS(time), 245 },
|
||||
{ SCMP_SYS(restart_syscall), 245 },
|
||||
{ SCMP_SYS(pwrite64), 245 },
|
||||
+ { SCMP_SYS(nanosleep), 245 },
|
||||
{ SCMP_SYS(chown), 245 },
|
||||
{ SCMP_SYS(openat), 245 },
|
||||
{ SCMP_SYS(getdents), 245 },
|
||||
@@ -93,8 +115,6 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
|
||||
{ SCMP_SYS(lseek), 245 },
|
||||
{ SCMP_SYS(pselect6), 245 },
|
||||
{ SCMP_SYS(fork), 245 },
|
||||
- { SCMP_SYS(bind), 245 },
|
||||
- { SCMP_SYS(listen), 245 },
|
||||
{ SCMP_SYS(eventfd), 245 },
|
||||
{ SCMP_SYS(rt_sigprocmask), 245 },
|
||||
{ SCMP_SYS(write), 244 },
|
||||
@@ -104,10 +124,112 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = {
|
||||
{ SCMP_SYS(pipe2), 242 },
|
||||
{ SCMP_SYS(munmap), 242 },
|
||||
{ SCMP_SYS(mremap), 242 },
|
||||
+ { SCMP_SYS(fdatasync), 242 },
|
||||
+ { SCMP_SYS(close), 242 },
|
||||
+ { SCMP_SYS(rt_sigpending), 242 },
|
||||
+ { SCMP_SYS(rt_sigtimedwait), 242 },
|
||||
+ { SCMP_SYS(readv), 242 },
|
||||
+ { SCMP_SYS(writev), 242 },
|
||||
+ { SCMP_SYS(preadv), 242 },
|
||||
+ { SCMP_SYS(pwritev), 242 },
|
||||
+ { SCMP_SYS(setrlimit), 242 },
|
||||
+ { SCMP_SYS(ftruncate), 242 },
|
||||
+ { SCMP_SYS(lstat), 242 },
|
||||
+ { SCMP_SYS(pipe), 242 },
|
||||
+ { SCMP_SYS(umask), 242 },
|
||||
+ { SCMP_SYS(chdir), 242 },
|
||||
+ { SCMP_SYS(setitimer), 242 },
|
||||
+ { SCMP_SYS(setsid), 242 },
|
||||
+ { SCMP_SYS(poll), 242 },
|
||||
+ { SCMP_SYS(epoll_create), 242 },
|
||||
+ { SCMP_SYS(epoll_ctl), 242 },
|
||||
+ { SCMP_SYS(epoll_wait), 242 },
|
||||
+#if defined(__i386__)
|
||||
+ { SCMP_SYS(waitpid), 242 },
|
||||
+#elif defined(__x86_64__)
|
||||
{ SCMP_SYS(getsockname), 242 },
|
||||
{ SCMP_SYS(getpeername), 242 },
|
||||
- { SCMP_SYS(fdatasync), 242 },
|
||||
- { SCMP_SYS(close), 242 }
|
||||
+ { SCMP_SYS(accept4), 242 },
|
||||
+ { SCMP_SYS(newfstatat), 241 },
|
||||
+ { SCMP_SYS(shutdown), 241 },
|
||||
+ { SCMP_SYS(getsockopt), 241 },
|
||||
+ { SCMP_SYS(semctl), 241 },
|
||||
+ { SCMP_SYS(semop), 241 },
|
||||
+ { SCMP_SYS(semtimedop), 241 },
|
||||
+ { SCMP_SYS(epoll_ctl_old), 241 },
|
||||
+ { SCMP_SYS(epoll_wait_old), 241 },
|
||||
+#endif
|
||||
+ { SCMP_SYS(epoll_pwait), 241 },
|
||||
+ { SCMP_SYS(epoll_create1), 241 },
|
||||
+ { SCMP_SYS(ppoll), 241 },
|
||||
+ { SCMP_SYS(creat), 241 },
|
||||
+ { SCMP_SYS(link), 241 },
|
||||
+ { SCMP_SYS(getpid), 241 },
|
||||
+ { SCMP_SYS(getppid), 241 },
|
||||
+ { SCMP_SYS(getpgrp), 241 },
|
||||
+ { SCMP_SYS(getpgid), 241 },
|
||||
+ { SCMP_SYS(getsid), 241 },
|
||||
+ { SCMP_SYS(getdents64), 241 },
|
||||
+ { SCMP_SYS(getresuid), 241 },
|
||||
+ { SCMP_SYS(getresgid), 241 },
|
||||
+ { SCMP_SYS(getgroups), 241 },
|
||||
+#if defined(__i386__)
|
||||
+ { SCMP_SYS(getresuid32), 241 },
|
||||
+ { SCMP_SYS(getresgid32), 241 },
|
||||
+ { SCMP_SYS(getgroups32), 241 },
|
||||
+ { SCMP_SYS(signal), 241 },
|
||||
+ { SCMP_SYS(sigaction), 241 },
|
||||
+ { SCMP_SYS(sigsuspend), 241 },
|
||||
+ { SCMP_SYS(sigpending), 241 },
|
||||
+ { SCMP_SYS(truncate64), 241 },
|
||||
+ { SCMP_SYS(ftruncate64), 241 },
|
||||
+ { SCMP_SYS(fchown32), 241 },
|
||||
+ { SCMP_SYS(chown32), 241 },
|
||||
+ { SCMP_SYS(lchown32), 241 },
|
||||
+ { SCMP_SYS(statfs64), 241 },
|
||||
+ { SCMP_SYS(fstatfs64), 241 },
|
||||
+ { SCMP_SYS(fstatat64), 241 },
|
||||
+ { SCMP_SYS(lstat64), 241 },
|
||||
+ { SCMP_SYS(sendfile64), 241 },
|
||||
+ { SCMP_SYS(ugetrlimit), 241 },
|
||||
+#endif
|
||||
+ { SCMP_SYS(alarm), 241 },
|
||||
+ { SCMP_SYS(rt_sigsuspend), 241 },
|
||||
+ { SCMP_SYS(rt_sigqueueinfo), 241 },
|
||||
+ { SCMP_SYS(rt_tgsigqueueinfo), 241 },
|
||||
+ { SCMP_SYS(sigaltstack), 241 },
|
||||
+ { SCMP_SYS(signalfd4), 241 },
|
||||
+ { SCMP_SYS(truncate), 241 },
|
||||
+ { SCMP_SYS(fchown), 241 },
|
||||
+ { SCMP_SYS(lchown), 241 },
|
||||
+ { SCMP_SYS(fchownat), 241 },
|
||||
+ { SCMP_SYS(fstatfs), 241 },
|
||||
+ { SCMP_SYS(sendfile), 241 },
|
||||
+ { SCMP_SYS(getitimer), 241 },
|
||||
+ { SCMP_SYS(syncfs), 241 },
|
||||
+ { SCMP_SYS(fsync), 241 },
|
||||
+ { SCMP_SYS(fchdir), 241 },
|
||||
+ { SCMP_SYS(flock), 241 },
|
||||
+ { SCMP_SYS(msync), 241 },
|
||||
+ { SCMP_SYS(sched_setparam), 241 },
|
||||
+ { SCMP_SYS(sched_setscheduler), 241 },
|
||||
+ { SCMP_SYS(sched_yield), 241 },
|
||||
+ { SCMP_SYS(sched_rr_get_interval), 241 },
|
||||
+ { SCMP_SYS(sched_setaffinity), 241 },
|
||||
+ { SCMP_SYS(sched_getaffinity), 241 },
|
||||
+ { SCMP_SYS(readahead), 241 },
|
||||
+ { SCMP_SYS(timer_getoverrun), 241 },
|
||||
+ { SCMP_SYS(unlinkat), 241 },
|
||||
+ { SCMP_SYS(readlinkat), 241 },
|
||||
+ { SCMP_SYS(faccessat), 241 },
|
||||
+ { SCMP_SYS(get_robust_list), 241 },
|
||||
+ { SCMP_SYS(splice), 241 },
|
||||
+ { SCMP_SYS(vmsplice), 241 },
|
||||
+ { SCMP_SYS(getcpu), 241 },
|
||||
+ { SCMP_SYS(sendmmsg), 241 },
|
||||
+ { SCMP_SYS(recvmmsg), 241 },
|
||||
+ { SCMP_SYS(prlimit64), 241 },
|
||||
+ { SCMP_SYS(waitid), 241 }
|
||||
};
|
||||
|
||||
int seccomp_start(void)
|
||||
--
|
||||
1.8.0.2
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
From 58891f4a215336182677e97c94198ba8cced19cd Mon Sep 17 00:00:00 2001
|
||||
From: Alon Levy <alevy@redhat.com>
|
||||
Date: Wed, 3 Oct 2012 20:13:58 +0200
|
||||
Subject: [PATCH 515/522] hw/qxl: exit on failure to register qxl interface
|
||||
|
||||
This prevents a segfault later on when the device reset handler
|
||||
tries to access a NULL ssd.worker since interface_attach_worker has
|
||||
not been called.
|
||||
|
||||
Signed-off-by: Alon Levy <alevy@redhat.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
---
|
||||
hw/qxl.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/qxl.c b/hw/qxl.c
|
||||
index 8d33745..db6440e 100644
|
||||
--- a/hw/qxl.c
|
||||
+++ b/hw/qxl.c
|
||||
@@ -2035,7 +2035,11 @@ static int qxl_init_common(PCIQXLDevice *qxl)
|
||||
|
||||
qxl->ssd.qxl.base.sif = &qxl_interface.base;
|
||||
qxl->ssd.qxl.id = qxl->id;
|
||||
- qemu_spice_add_interface(&qxl->ssd.qxl.base);
|
||||
+ if (qemu_spice_add_interface(&qxl->ssd.qxl.base) != 0) {
|
||||
+ error_report("qxl interface %d.%d not supported by spice-server\n",
|
||||
+ SPICE_INTERFACE_QXL_MAJOR, SPICE_INTERFACE_QXL_MINOR);
|
||||
+ return -1;
|
||||
+ }
|
||||
qemu_add_vm_change_state_handler(qxl_vm_change_state_handler, qxl);
|
||||
|
||||
init_pipe_signaling(qxl);
|
||||
--
|
||||
1.8.0.2
|
||||
|
|
@ -0,0 +1,29 @@
|
|||
From 8ceaa64ed2f20a7af865eb9bac0bc6e54f5f7eea Mon Sep 17 00:00:00 2001
|
||||
From: Alon Levy <alevy@redhat.com>
|
||||
Date: Tue, 2 Oct 2012 11:39:14 +0200
|
||||
Subject: [PATCH 516/522] hw/qxl: fix condition for exiting guest_bug
|
||||
|
||||
Reported and suggested by Paolo Bonzini, thanks.
|
||||
|
||||
Signed-off-by: Alon Levy <alevy@redhat.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
---
|
||||
hw/qxl.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/qxl.c b/hw/qxl.c
|
||||
index db6440e..445705e 100644
|
||||
--- a/hw/qxl.c
|
||||
+++ b/hw/qxl.c
|
||||
@@ -1461,7 +1461,7 @@ static void ioport_write(void *opaque, target_phys_addr_t addr,
|
||||
qxl_async_io async = QXL_SYNC;
|
||||
uint32_t orig_io_port = io_port;
|
||||
|
||||
- if (d->guest_bug && !io_port == QXL_IO_RESET) {
|
||||
+ if (d->guest_bug && io_port != QXL_IO_RESET) {
|
||||
return;
|
||||
}
|
||||
|
||||
--
|
||||
1.8.0.2
|
||||
|
|
@ -0,0 +1,50 @@
|
|||
From 79868eccfd65a7926d7beff42b1094a000b10c01 Mon Sep 17 00:00:00 2001
|
||||
From: Alon Levy <alevy@redhat.com>
|
||||
Date: Thu, 1 Nov 2012 14:56:00 +0200
|
||||
Subject: [PATCH 517/522] hw/qxl: qxl_send_events: nop if stopped
|
||||
|
||||
Added a trace point for easy logging.
|
||||
|
||||
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=870972
|
||||
|
||||
Signed-off-by: Alon Levy <alevy@redhat.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
---
|
||||
hw/qxl.c | 8 +++++++-
|
||||
trace-events | 1 +
|
||||
2 files changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/qxl.c b/hw/qxl.c
|
||||
index 445705e..8111bb9 100644
|
||||
--- a/hw/qxl.c
|
||||
+++ b/hw/qxl.c
|
||||
@@ -1714,7 +1714,13 @@ static void qxl_send_events(PCIQXLDevice *d, uint32_t events)
|
||||
uint32_t le_events = cpu_to_le32(events);
|
||||
|
||||
trace_qxl_send_events(d->id, events);
|
||||
- assert(qemu_spice_display_is_running(&d->ssd));
|
||||
+ if (!qemu_spice_display_is_running(&d->ssd)) {
|
||||
+ /* spice-server tracks guest running state and should not do this */
|
||||
+ fprintf(stderr, "%s: spice-server bug: guest stopped, ignoring\n",
|
||||
+ __func__);
|
||||
+ trace_qxl_send_events_vm_stopped(d->id, events);
|
||||
+ return;
|
||||
+ }
|
||||
old_pending = __sync_fetch_and_or(&d->ram->int_pending, le_events);
|
||||
if ((old_pending & le_events) == le_events) {
|
||||
return;
|
||||
diff --git a/trace-events b/trace-events
|
||||
index f5b5097..9d39d8d 100644
|
||||
--- a/trace-events
|
||||
+++ b/trace-events
|
||||
@@ -978,6 +978,7 @@ qxl_spice_update_area(int qid, uint32_t surface_id, uint32_t left, uint32_t righ
|
||||
qxl_spice_update_area_rest(int qid, uint32_t num_dirty_rects, uint32_t clear_dirty_region) "%d #d=%d clear=%d"
|
||||
qxl_surfaces_dirty(int qid, int surface, int offset, int size) "%d surface=%d offset=%d size=%d"
|
||||
qxl_send_events(int qid, uint32_t events) "%d %d"
|
||||
+qxl_send_events_vm_stopped(int qid, uint32_t events) "%d %d"
|
||||
qxl_set_guest_bug(int qid) "%d"
|
||||
qxl_interrupt_client_monitors_config(int qid, int num_heads, void *heads) "%d %d %p"
|
||||
qxl_client_monitors_config_unsupported_by_guest(int qid, uint32_t int_mask, void *client_monitors_config) "%d %X %p"
|
||||
--
|
||||
1.8.0.2
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
From acbfa56143a6c8a4e0ceb2546612ae4caea907d3 Mon Sep 17 00:00:00 2001
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Tue, 30 Oct 2012 14:55:12 +0100
|
||||
Subject: [PATCH 518/564] qxl: call dpy_gfx_resize when entering vga mode
|
||||
|
||||
When entering vga mode the display size likely changes,
|
||||
notify all displaychangelisteners about this.
|
||||
|
||||
Probably went unnoticed for a while as one if the first
|
||||
things the guest does after leaving qxl native mode and
|
||||
entering qxl vga mode is to set the vga video mode. But
|
||||
there is still a small window where qemu can operate on
|
||||
stale data, leading to crashes now and then.
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=865767
|
||||
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
---
|
||||
hw/qxl.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/qxl.c b/hw/qxl.c
|
||||
index 8111bb9..3583d98 100644
|
||||
--- a/hw/qxl.c
|
||||
+++ b/hw/qxl.c
|
||||
@@ -1084,7 +1084,7 @@ static void qxl_enter_vga_mode(PCIQXLDevice *d)
|
||||
trace_qxl_enter_vga_mode(d->id);
|
||||
qemu_spice_create_host_primary(&d->ssd);
|
||||
d->mode = QXL_MODE_VGA;
|
||||
- memset(&d->ssd.dirty, 0, sizeof(d->ssd.dirty));
|
||||
+ dpy_resize(d->ssd.ds);
|
||||
vga_dirty_log_start(&d->vga);
|
||||
}
|
||||
|
||||
--
|
||||
1.8.1
|
||||
|
|
@ -0,0 +1,67 @@
|
|||
From d106523eff9b2f7e0b201c04a825c1fbcef1e495 Mon Sep 17 00:00:00 2001
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Fri, 2 Nov 2012 09:37:27 +0100
|
||||
Subject: [PATCH 519/564] spice: fix initialization order
|
||||
|
||||
Register displaychangelistener last, after spice is fully initialized,
|
||||
otherwise we may hit NULL pointer dereferences when qemu starts calling
|
||||
our callbacks.
|
||||
|
||||
Commit e250d949feb1334828f27f0d145c35f29c4b7639 triggers this bug.
|
||||
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
---
|
||||
hw/qxl.c | 10 ++++++++--
|
||||
ui/spice-display.c | 2 +-
|
||||
2 files changed, 9 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/hw/qxl.c b/hw/qxl.c
|
||||
index 3583d98..525763b 100644
|
||||
--- a/hw/qxl.c
|
||||
+++ b/hw/qxl.c
|
||||
@@ -2061,6 +2061,7 @@ static int qxl_init_primary(PCIDevice *dev)
|
||||
PCIQXLDevice *qxl = DO_UPCAST(PCIQXLDevice, pci, dev);
|
||||
VGACommonState *vga = &qxl->vga;
|
||||
PortioList *qxl_vga_port_list = g_new(PortioList, 1);
|
||||
+ int rc;
|
||||
|
||||
qxl->id = 0;
|
||||
qxl_init_ramsize(qxl);
|
||||
@@ -2075,9 +2076,14 @@ static int qxl_init_primary(PCIDevice *dev)
|
||||
qemu_spice_display_init_common(&qxl->ssd, vga->ds);
|
||||
|
||||
qxl0 = qxl;
|
||||
- register_displaychangelistener(vga->ds, &display_listener);
|
||||
|
||||
- return qxl_init_common(qxl);
|
||||
+ rc = qxl_init_common(qxl);
|
||||
+ if (rc != 0) {
|
||||
+ return rc;
|
||||
+ }
|
||||
+
|
||||
+ register_displaychangelistener(vga->ds, &display_listener);
|
||||
+ return rc;
|
||||
}
|
||||
|
||||
static int qxl_init_secondary(PCIDevice *dev)
|
||||
diff --git a/ui/spice-display.c b/ui/spice-display.c
|
||||
index d062765..4c24c32 100644
|
||||
--- a/ui/spice-display.c
|
||||
+++ b/ui/spice-display.c
|
||||
@@ -617,7 +617,6 @@ void qemu_spice_display_init(DisplayState *ds)
|
||||
{
|
||||
assert(sdpy.ds == NULL);
|
||||
qemu_spice_display_init_common(&sdpy, ds);
|
||||
- register_displaychangelistener(ds, &display_listener);
|
||||
|
||||
sdpy.qxl.base.sif = &dpy_interface.base;
|
||||
qemu_spice_add_interface(&sdpy.qxl.base);
|
||||
@@ -626,4 +625,5 @@ void qemu_spice_display_init(DisplayState *ds)
|
||||
qemu_add_vm_change_state_handler(qemu_spice_vm_change_state_handler, &sdpy);
|
||||
qemu_spice_create_host_memslot(&sdpy);
|
||||
qemu_spice_create_host_primary(&sdpy);
|
||||
+ register_displaychangelistener(ds, &display_listener);
|
||||
}
|
||||
--
|
||||
1.8.1
|
||||
|
|
@ -0,0 +1,69 @@
|
|||
From e4e6427ffc8a25e6eafdbf1a284319721891fb77 Mon Sep 17 00:00:00 2001
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Wed, 21 Nov 2012 14:41:48 +0100
|
||||
Subject: [PATCH 520/564] spice: add new spice-server callbacks to
|
||||
ui/spice-display.c
|
||||
|
||||
Otherwise qemu crashes with non-qxl graphics cards.
|
||||
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
---
|
||||
ui/spice-display.c | 35 +++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 35 insertions(+)
|
||||
|
||||
diff --git a/ui/spice-display.c b/ui/spice-display.c
|
||||
index 4c24c32..85c055e 100644
|
||||
--- a/ui/spice-display.c
|
||||
+++ b/ui/spice-display.c
|
||||
@@ -569,6 +569,37 @@ static int interface_flush_resources(QXLInstance *sin)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+static void interface_update_area_complete(QXLInstance *sin,
|
||||
+ uint32_t surface_id,
|
||||
+ QXLRect *dirty, uint32_t num_updated_rects)
|
||||
+{
|
||||
+ /* should never be called, used in qxl native mode only */
|
||||
+ fprintf(stderr, "%s: abort()\n", __func__);
|
||||
+ abort();
|
||||
+}
|
||||
+
|
||||
+/* called from spice server thread context only */
|
||||
+static void interface_async_complete(QXLInstance *sin, uint64_t cookie_token)
|
||||
+{
|
||||
+ /* should never be called, used in qxl native mode only */
|
||||
+ fprintf(stderr, "%s: abort()\n", __func__);
|
||||
+ abort();
|
||||
+}
|
||||
+
|
||||
+static void interface_set_client_capabilities(QXLInstance *sin,
|
||||
+ uint8_t client_present,
|
||||
+ uint8_t caps[58])
|
||||
+{
|
||||
+ dprint(3, "%s:\n", __func__);
|
||||
+}
|
||||
+
|
||||
+static int interface_client_monitors_config(QXLInstance *sin,
|
||||
+ VDAgentMonitorsConfig *monitors_config)
|
||||
+{
|
||||
+ dprint(3, "%s:\n", __func__);
|
||||
+ return 0; /* == not supported by guest */
|
||||
+}
|
||||
+
|
||||
static const QXLInterface dpy_interface = {
|
||||
.base.type = SPICE_INTERFACE_QXL,
|
||||
.base.description = "qemu simple display",
|
||||
@@ -588,6 +619,10 @@ static const QXLInterface dpy_interface = {
|
||||
.req_cursor_notification = interface_req_cursor_notification,
|
||||
.notify_update = interface_notify_update,
|
||||
.flush_resources = interface_flush_resources,
|
||||
+ .async_complete = interface_async_complete,
|
||||
+ .update_area_complete = interface_update_area_complete,
|
||||
+ .set_client_capabilities = interface_set_client_capabilities,
|
||||
+ .client_monitors_config = interface_client_monitors_config,
|
||||
};
|
||||
|
||||
static SimpleSpiceDisplay sdpy;
|
||||
--
|
||||
1.8.1
|
||||
|
|
@ -0,0 +1,41 @@
|
|||
From 39a4efbef72744cb09151954091710400c31f18d Mon Sep 17 00:00:00 2001
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Mon, 10 Dec 2012 07:41:07 +0100
|
||||
Subject: [PATCH 521/564] qxl: save qemu_create_displaysurface_from result
|
||||
|
||||
Spotted by Coverity.
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=885644
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Reported-by: Markus Armbruster <armbru@redhat.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
---
|
||||
hw/qxl-render.c | 11 ++++++-----
|
||||
1 file changed, 6 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/qxl-render.c b/hw/qxl-render.c
|
||||
index b66c168..e7d41ec 100644
|
||||
--- a/hw/qxl-render.c
|
||||
+++ b/hw/qxl-render.c
|
||||
@@ -113,11 +113,12 @@ static void qxl_render_update_area_unlocked(PCIQXLDevice *qxl)
|
||||
qxl->guest_primary.bits_pp);
|
||||
if (qxl->guest_primary.qxl_stride > 0) {
|
||||
qemu_free_displaysurface(vga->ds);
|
||||
- qemu_create_displaysurface_from(qxl->guest_primary.surface.width,
|
||||
- qxl->guest_primary.surface.height,
|
||||
- qxl->guest_primary.bits_pp,
|
||||
- qxl->guest_primary.abs_stride,
|
||||
- qxl->guest_primary.data);
|
||||
+ vga->ds->surface = qemu_create_displaysurface_from
|
||||
+ (qxl->guest_primary.surface.width,
|
||||
+ qxl->guest_primary.surface.height,
|
||||
+ qxl->guest_primary.bits_pp,
|
||||
+ qxl->guest_primary.abs_stride,
|
||||
+ qxl->guest_primary.data);
|
||||
} else {
|
||||
qemu_resize_displaysurface(vga->ds,
|
||||
qxl->guest_primary.surface.width,
|
||||
--
|
||||
1.8.1
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
From 605d30a4a9548e27d65fa90faa29b942df097e1e Mon Sep 17 00:00:00 2001
|
||||
From: Alon Levy <alevy@redhat.com>
|
||||
Date: Tue, 30 Oct 2012 18:00:33 +0200
|
||||
Subject: [PATCH] wip: hw/qxl: inject interrupts in any state
|
||||
|
||||
---
|
||||
hw/qxl.c | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/hw/qxl.c b/hw/qxl.c
|
||||
index 8d33745..1d8ffae 100644
|
||||
--- a/hw/qxl.c
|
||||
+++ b/hw/qxl.c
|
||||
@@ -1714,7 +1714,6 @@ static void qxl_send_events(PCIQXLDevice *d, uint32_t events)
|
||||
uint32_t le_events = cpu_to_le32(events);
|
||||
|
||||
trace_qxl_send_events(d->id, events);
|
||||
- assert(qemu_spice_display_is_running(&d->ssd));
|
||||
old_pending = __sync_fetch_and_or(&d->ram->int_pending, le_events);
|
||||
if ((old_pending & le_events) == le_events) {
|
||||
return;
|
||||
--
|
||||
1.8.0.2
|
||||
|
26
qemu.spec
26
qemu.spec
|
@ -109,7 +109,7 @@
|
|||
Summary: QEMU is a FAST! processor emulator
|
||||
Name: qemu
|
||||
Version: 1.2.2
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
|
||||
Epoch: 2
|
||||
License: GPLv2+ and LGPLv2+ and BSD
|
||||
|
@ -468,6 +468,13 @@ Patch0511: 0511-hw-qxl-support-client-monitor-configuration-via-devi.patch
|
|||
Patch0512: 0512-qxl-update_area_io-cleanup-invalid-parameters-handli.patch
|
||||
Patch0513: 0513-qxl-fix-range-check-for-rev3-io-commands.patch
|
||||
Patch0514: 0514-qxl-vnc-register-a-vm-state-handler-for-dummy-spice_.patch
|
||||
Patch0515: 0515-hw-qxl-exit-on-failure-to-register-qxl-interface.patch
|
||||
Patch0516: 0516-hw-qxl-fix-condition-for-exiting-guest_bug.patch
|
||||
Patch0517: 0517-hw-qxl-qxl_send_events-nop-if-stopped.patch
|
||||
Patch0518: 0518-qxl-call-dpy_gfx_resize-when-entering-vga-mode.patch
|
||||
Patch0519: 0519-spice-fix-initialization-order.patch
|
||||
Patch0520: 0520-spice-add-new-spice-server-callbacks-to-ui-spice-dis.patch
|
||||
Patch0521: 0521-qxl-save-qemu_create_displaysurface_from-result.patch
|
||||
|
||||
# usb-redir live-migration and misc bits from upstream master
|
||||
Patch0601: 0601-usb-redir-Convert-to-new-libusbredirparser-0.5-API.patch
|
||||
|
@ -516,8 +523,6 @@ Patch0702: 0702-configure-Add-disable-kvm-options.patch
|
|||
Patch0703: 0703-arm_boot-Change-initrd-load-address-to-halfway-throu.patch
|
||||
# Don't use reserved word 'function' in systemtap files (bz 870972)
|
||||
Patch0704: 0704-dtrace-backend-add-function-to-reserved-words.patch
|
||||
# Drop assertion that was triggering when pausing guests w/ qxl (bz 870972)
|
||||
Patch0705: 0705-wip-hw-qxl-inject-interrupts-in-any-state.patch
|
||||
# libcacard build fixes
|
||||
Patch0706: 0706-libcacard-fix-missing-symbols-in-libcacard.so.patch
|
||||
Patch0707: 0707-configure-move-vscclient-binary-under-libcacard.patch
|
||||
|
@ -1280,6 +1285,13 @@ CAC emulation development files.
|
|||
%patch0512 -p1
|
||||
%patch0513 -p1
|
||||
%patch0514 -p1
|
||||
%patch0515 -p1
|
||||
%patch0516 -p1
|
||||
%patch0517 -p1
|
||||
%patch0518 -p1
|
||||
%patch0519 -p1
|
||||
%patch0520 -p1
|
||||
%patch0521 -p1
|
||||
|
||||
# usb-redir live-migration and misc bits from upstream master
|
||||
%patch0601 -p1
|
||||
|
@ -1323,7 +1335,6 @@ CAC emulation development files.
|
|||
%patch0702 -p1
|
||||
%patch0703 -p1
|
||||
%patch0704 -p1
|
||||
%patch0705 -p1
|
||||
%patch0706 -p1
|
||||
%patch0707 -p1
|
||||
%patch0708 -p1
|
||||
|
@ -1937,6 +1948,13 @@ getent passwd qemu >/dev/null || \
|
|||
%{_libdir}/pkgconfig/libcacard.pc
|
||||
|
||||
%changelog
|
||||
* Mon Jan 21 2013 Hans de Goede <hdegoede@redhat.com> - 2:1.2.2-4
|
||||
- Add "qxl: call dpy_gfx_resize when entering vga mode" patch, fixing
|
||||
an often reported use after free crash (rhbz#873845)
|
||||
- Replace "wip: hw/qxl: inject interrupts in any state" patch with the
|
||||
official upstream fix
|
||||
- Add 5 other spice/qxl crash/bug fixes cherry-picked from upstream
|
||||
|
||||
* Fri Jan 18 2013 Hans de Goede <hdegoede@redhat.com> - 2:1.2.2-3
|
||||
- Fix a crash when using -vga qxl without -spice (bz #892075)
|
||||
|
||||
|
|
Loading…
Reference in New Issue