Backport fixes for openQA input issues after CVE-2017-8379 fix

0201-input-Decrement-queue-count-on-kbd-delay.patch

@@ -0,0 +1,34 @@
+From 77b0359bf414ad666d1714dc9888f1017c08e283 Mon Sep 17 00:00:00 2001
+From: Alexander Graf <agraf@suse.de>
+Date: Thu, 22 Jun 2017 09:41:58 +0200
+Subject: [PATCH] input: Decrement queue count on kbd delay
+
+Delays in the input layer are special cased input events. Every input
+event is accounted for in a global intput queue count. The special cased
+delays however did not get removed from the queue, leading to queue overruns
+and thus silent key drops after typing quite a few characters.
+
+Signed-off-by: Alexander Graf <agraf@suse.de>
+Message-id: 1498117318-162102-1-git-send-email-agraf@suse.de
+Fixes: be1a7176 ("input: add support for kbd delays")
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ ui/input.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ui/input.c b/ui/input.c
+index 2abd46de93..af05f06368 100644
+--- a/ui/input.c
++++ b/ui/input.c
+@@ -256,6 +256,7 @@ static void qemu_input_queue_process(void *opaque)
+     item = QTAILQ_FIRST(queue);
+     g_assert(item->type == QEMU_INPUT_QUEUE_DELAY);
+     QTAILQ_REMOVE(queue, item, node);
++    queue_count--;
+     g_free(item);
+ 
+     while (!QTAILQ_EMPTY(queue)) {
+-- 
+2.14.1
+

0202-hid-Reset-kbd-modifiers-on-reset.patch

@@ -0,0 +1,32 @@
+From 51dbea77a29ea46173373a6dad4ebd95d4661f42 Mon Sep 17 00:00:00 2001
+From: Alexander Graf <agraf@suse.de>
+Date: Thu, 22 Jun 2017 09:41:35 +0200
+Subject: [PATCH] hid: Reset kbd modifiers on reset
+
+When resetting the keyboard, we need to reset not just the pending keystrokes,
+but also any pending modifiers. Otherwise there's a race when we're getting
+reset while running an escape sequence (modifier 0x100).
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Alexander Graf <agraf@suse.de>
+Message-id: 1498117295-162030-1-git-send-email-agraf@suse.de
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/input/hid.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/input/hid.c b/hw/input/hid.c
+index 93887ecc43..0d049ff61c 100644
+--- a/hw/input/hid.c
++++ b/hw/input/hid.c
+@@ -487,6 +487,7 @@ void hid_reset(HIDState *hs)
+         memset(hs->kbd.keycodes, 0, sizeof(hs->kbd.keycodes));
+         memset(hs->kbd.key, 0, sizeof(hs->kbd.key));
+         hs->kbd.keys = 0;
++        hs->kbd.modifiers = 0;
+         break;
+     case HID_MOUSE:
+     case HID_TABLET:
+-- 
+2.14.1
+

0203-vnc-Set-default-kbd-delay-to-10ms.patch

@@ -0,0 +1,54 @@
+From d3b0db6dfea6b3a9ee0d96aceb796bdcafa84314 Mon Sep 17 00:00:00 2001
+From: Alexander Graf <agraf@suse.de>
+Date: Wed, 12 Jul 2017 14:43:45 +0200
+Subject: [PATCH] vnc: Set default kbd delay to 10ms
+
+The current VNC default keyboard delay is 1ms. With that we're constantly
+typing faster than the guest receives keyboard events from an XHCI attached
+USB HID device.
+
+The default keyboard delay time in the input layer however is 10ms. I don't know
+how that number came to be, but empirical tests on some OpenQA driven ARM
+systems show that 10ms really is a reasonable default number for the delay.
+
+This patch moves the VNC delay also to 10ms. That way our default is much
+safer (good!) and also consistent with the input layer default (also good!).
+
+Signed-off-by: Alexander Graf <agraf@suse.de>
+Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
+Message-id: 1499863425-103133-1-git-send-email-agraf@suse.de
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ qemu-options.hx | 2 +-
+ ui/vnc.c        | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/qemu-options.hx b/qemu-options.hx
+index 76b1c67737..6909285e85 100644
+--- a/qemu-options.hx
++++ b/qemu-options.hx
+@@ -1753,7 +1753,7 @@ spec but is traditional QEMU behavior.
+ @item key-delay-ms
+ 
+ Set keyboard delay, for key down and key up events, in milliseconds.
+-Default is 1.  Keyboards are low-bandwidth devices, so this slowdown
++Default is 10.  Keyboards are low-bandwidth devices, so this slowdown
+ can help the device and guest to keep up and not lose events in case
+ events are arriving in bulk.  Possible causes for the latter are flaky
+ network connections, or scripts for automated testing.
+diff --git a/ui/vnc.c b/ui/vnc.c
+index 26136f5d29..eb91559b6b 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -3808,7 +3808,7 @@ void vnc_display_open(const char *id, Error **errp)
+     }
+ 
+     lock_key_sync = qemu_opt_get_bool(opts, "lock-key-sync", true);
+-    key_delay_ms = qemu_opt_get_number(opts, "key-delay-ms", 1);
++    key_delay_ms = qemu_opt_get_number(opts, "key-delay-ms", 10);
+     sasl = qemu_opt_get_bool(opts, "sasl", false);
+ #ifndef CONFIG_VNC_SASL
+     if (sasl) {
+-- 
+2.14.1
+

qemu.spec

@@ -92,7 +92,7 @@ Requires: %{name}-block-ssh = %{epoch}:%{version}-%{release}
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
 Version: 2.9.0
-Release: 4%{?rcrel}%{?dist}
+Release: 5%{?rcrel}%{?dist}
 Epoch: 2
 License: GPLv2+ and LGPLv2+ and BSD
 Group: Development/Tools
@@ -157,6 +157,12 @@ Patch0103: 0103-nbd-Fix-regression-on-resiliency-to-port-scan.patch
 # #1466192)
 Patch0104: 0104-qemu-nbd-Ignore-SIGPIPE.patch
 
+# Backported fixes for VNC input issues after the implementation of queue
+# depth limit in input-limit-kbd-queue-depth.patch (bz #1481858)
+Patch0201: 0201-input-Decrement-queue-count-on-kbd-delay.patch
+Patch0202: 0202-hid-Reset-kbd-modifiers-on-reset.patch
+Patch0203: 0203-vnc-Set-default-kbd-delay-to-10ms.patch
+
 # documentation deps
 BuildRequires: texinfo
 # For /usr/bin/pod2man
@@ -2034,6 +2040,9 @@ getent passwd qemu >/dev/null || \
 
 
 %changelog
+* Tue Aug 15 2017 Adam Williamson <awilliam@redhat.com> - 2:2.9.0-5
+- Backport fixes for input issues (esp. openQA) after CVE-2017-8379 fix
+
 * Fri Aug 04 2017 Cole Robinson <crobinso@redhat.com> - 2:2.9.0-4
 - Drop qemu workaround for AMD CPU issues (bz #1467599)
 - Backport binfmt/static improvements from rawhide