aboutsummaryrefslogtreecommitdiff
path: root/hw/display
AgeCommit message (Collapse)Author
2017-02-28Merge remote-tracking branch 'remotes/mjt/tags/trivial-patches-fetch' into ↵Peter Maydell
staging trivial patches for 2017-02-28 # gpg: Signature made Tue 28 Feb 2017 06:43:55 GMT # gpg: using RSA key 0x701B4F6B1A693E59 # gpg: Good signature from "Michael Tokarev <mjt@tls.msk.ru>" # gpg: aka "Michael Tokarev <mjt@corpit.ru>" # gpg: aka "Michael Tokarev <mjt@debian.org>" # Primary key fingerprint: 6EE1 95D1 886E 8FFB 810D 4324 457C E0A0 8044 65C5 # Subkey fingerprint: 7B73 BAD6 8BE7 A2C2 8931 4B22 701B 4F6B 1A69 3E59 * remotes/mjt/tags/trivial-patches-fetch: syscall: fixed mincore(2) not failing with ENOMEM hw/acpi/tco.c: fix tco timer stop lm32: milkymist-tmu2: fix a third integer overflow qemu-options.hx: add missing id=chr0 chardev argument in vhost-user example Update copyright year tests/prom-env: Enable the test for the sun4u machine, too cadence_gem: Remove unused parameter debug message register: fix incorrect read mask ide: remove undefined behavior in ide-test CODING_STYLE: Mention preferred comment form hw/core/register: Mark the device with cannot_instantiate_with_device_add_yet hw/core/or-irq: Mark the device with cannot_instantiate_with_device_add_yet softfloat: Use correct type in float64_to_uint64_round_to_zero() target/s390x: Fix typo Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-02-28lm32: milkymist-tmu2: fix a third integer overflowPeter Maydell
Don't truncate the multiplication and do a 64 bit one instead because the result is stored in a 64 bit variable. This fixes a similar coverity warning to commits 237a8650d640 and 4382fa655498, in a similar way, and is the final third of the fix for coverity CID 1167561 (hopefully!). Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Acked-by: Michael Walle <michael@walle.cc> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2017-02-27virtio-gpu: use dpy_gl_scanout_disableGerd Hoffmann
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-id: 1487669841-13668-4-git-send-email-kraxel@redhat.com
2017-02-27console: rename dpy_gl_scanout to dpy_gl_scanout_textureGerd Hoffmann
We'll add a variant which accepts dmabufs soon. Change the name so we can easily disturgish the two variants. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-id: 1487669841-13668-2-git-send-email-kraxel@redhat.com
2017-02-24cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo (CVE-2017-2620)Gerd Hoffmann
CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination and blit width, at all. Oops. Fix it. Security impact: high. The missing blit destination check allows to write to host memory. Basically same as CVE-2014-8106 for the other blit variants. Cc: qemu-stable@nongnu.org Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-02-13migration: consolidate VMStateField.startHalil Pasic
The member VMStateField.start is used for two things, partial data migration for VBUFFER data (basically provide migration for a sub-buffer) and for locating next in QTAILQ. The implementation of the VBUFFER feature is broken when VMSTATE_ALLOC is used. This however goes unnoticed because actually partial migration for VBUFFER is not used at all. Let's consolidate the usage of VMStateField.start by removing support for partial migration for VBUFFER. Signed-off-by: Halil Pasic <pasic@linux.vnet.ibm.com> Message-Id: <20170203175217.45562-1-pasic@linux.vnet.ibm.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
2017-02-10Revert "cirrus: allow zero source pitch in pattern fill rops"Gerd Hoffmann
This reverts commit 5858dd1801883309bdd208d72ddb81c4e9fee30c. Conflicts: hw/display/cirrus_vga.c Cc: Wolfgang Bumiller <w.bumiller@proxmox.com> Cc: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Laurent Vivier <lvivier@redhat.com> Message-id: 1486645341-5010-2-git-send-email-kraxel@redhat.com
2017-02-10cirrus: fix patterncopy checksGerd Hoffmann
The blit_region_is_unsafe checks don't work correctly for the patterncopy source. It's a fixed-sized region, which doesn't depend on cirrus_blt_{width,height}. So go do the check in cirrus_bitblt_common_patterncopy instead, then tell blit_is_unsafe that it doesn't need to verify the source. Also handle the case where we blit from cirrus_bitbuf correctly. This patch replaces 5858dd1801883309bdd208d72ddb81c4e9fee30c. Security impact: I think for the most part error on the safe side this time, refusing blits which should have been allowed. Only exception is placing the blit source at the end of the video ram, so cirrus_blt_srcaddr + 256 goes beyond the end of video memory. But even in that case I'm not fully sure this actually allows read access to host memory. To trick the commit 5858dd18 security checks one has to pick very small cirrus_blt_{width,height} values, which in turn implies only a fraction of the blit source will actually be used. Cc: Wolfgang Bumiller <w.bumiller@proxmox.com> Cc: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Reviewed-by: Laurent Vivier <lvivier@redhat.com> Message-id: 1486645341-5010-1-git-send-email-kraxel@redhat.com
2017-02-10cirrus: replace debug printf with trace pointsGerd Hoffmann
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 1486561893-26470-2-git-send-email-kraxel@redhat.com
2017-02-10vga: replace debug printf with trace pointsGerd Hoffmann
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 1486561893-26470-1-git-send-email-kraxel@redhat.com
2017-02-10virtio-gpu: fix resource leak in virgl_cmd_resource_unrefGerd Hoffmann
When the guest sends VIRTIO_GPU_CMD_RESOURCE_UNREF without detaching the backing storage beforehand (VIRTIO_GPU_CMD_RESOURCE_DETACH_BACKING) we'll leak memory. This patch fixes it for 3d mode, simliar to the 2d mode fix in commit "b8e2392 virtio-gpu: call cleanup mapping function in resource destroy". Reported-by: 李强 <liqiang6-s@360.cn> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 1485167210-4757-1-git-send-email-kraxel@redhat.com
2017-02-10virtio-gpu: fix memory leak in set scanoutLi Qiang
In virtio_gpu_set_scanout function, when creating the 'rect' its refcount is set to 2, by pixman_image_create_bits and qemu_create_displaysurface_pixman function. This can lead a memory leak issues. This patch avoid this issue. Signed-off-by: Li Qiang <liqiang6-s@360.cn> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-id: 5884626f.5b2f6b0a.1bfff.3037@mx.google.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-02-03Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20170202-2' into ↵Peter Maydell
staging cirrus: multiple bugfixes, including CVE-2017-2615 fix. # gpg: Signature made Thu 02 Feb 2017 15:03:35 GMT # gpg: using RSA key 0x4CB6D8EED3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" # Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138 * remotes/kraxel/tags/pull-vga-20170202-2: cirrus: fix oob access issue (CVE-2017-2615) cirrus: fix blit address mask handling cirrus: allow zero source pitch in pattern fill rops cirrus: handle negative pitch in cirrus_invalidate_region() Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-02-02Merge remote-tracking branch 'remotes/stefanha/tags/tracing-pull-request' ↵Peter Maydell
into staging # gpg: Signature made Wed 01 Feb 2017 13:44:32 GMT # gpg: using RSA key 0x9CA4ABB381AB73C8 # gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" # gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" # Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35 775A 9CA4 ABB3 81AB 73C8 * remotes/stefanha/tags/tracing-pull-request: trace: clean up trace-events files qapi: add missing trace_visit_type_enum() call trace: improve error reporting when parsing simpletrace header trace: update docs to reflect new code generation approach trace: switch to modular code generation for sub-directories trace: move setting of group name into Makefiles trace: move hw/i386/xen events to correct subdir trace: move hw/xen events to correct subdir trace: move hw/block/dataplane events to correct subdir make: move top level dir to end of include search path # Conflicts: # Makefile Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-02-02cirrus: fix oob access issue (CVE-2017-2615)Li Qiang
When doing bitblt copy in backward mode, we should minus the blt width first just like the adding in the forward mode. This can avoid the oob access of the front of vga's vram. Signed-off-by: Li Qiang <liqiang6-s@360.cn> { kraxel: with backward blits (negative pitch) addr is the topmost address, so check it as-is against vram size ] Cc: qemu-stable@nongnu.org Cc: P J P <ppandit@redhat.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Wolfgang Bumiller <w.bumiller@proxmox.com> Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106) Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2017-02-01cirrus: fix blit address mask handlingGerd Hoffmann
Apply the cirrus_addr_mask to cirrus_blt_dstaddr and cirrus_blt_srcaddr right after assigning them, in cirrus_bitblt_start(), instead of having this all over the place in the cirrus code, and missing a few places. Reported-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 1485338996-17095-1-git-send-email-kraxel@redhat.com
2017-02-01cirrus: allow zero source pitch in pattern fill ropsWolfgang Bumiller
The rops used by cirrus_bitblt_common_patterncopy only use the destination pitch, so the source pitch shoul allowed to be zero and the blit with used for the range check around the source address. Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Message-id: 1485272138-23249-1-git-send-email-w.bumiller@proxmox.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-02-01cirrus: handle negative pitch in cirrus_invalidate_region()Wolfgang Bumiller
cirrus_invalidate_region() calls memory_region_set_dirty() on a per-line basis, always ranging from off_begin to off_begin+bytesperline. With a negative pitch off_begin marks the top most used address and thus we need to do an initial shift backwards by a line for negative pitches of backward blits, otherwise the first iteration covers the line going from the start offset forwards instead of backwards. Additionally since the start address is inclusive, if we shift by a full `bytesperline` we move to the first address *not* included in the blit, so we only shift by one less than bytesperline. Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Message-id: 1485352137-29367-1-git-send-email-w.bumiller@proxmox.com [ kraxel: codestyle fixes ] Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-01-31trace: clean up trace-events filesStefan Hajnoczi
There are a number of unused trace events that scripts/cleanup-trace-events.pl finds. The "hw/vfio/pci-quirks.c" filename was typoed and "qapi/qapi-visit-core.c" was missing the qapi/ directory prefix. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Message-id: 20170126171613.1399-3-stefanha@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-01-31qxl: switch to constants within BUILD_BUG_ONMichael S. Tsirkin
We are switching BUILD_BUG_ON to verify that it's parameter is a compile-time constant, and it turns out that some gcc versions (specifically gcc (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609) are not smart enough to figure it out for expressions involving local variables. This is harmless but means that the check is ineffective for these platforms. To fix, replace variables with macros. Reported-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
2017-01-27char: rename CharDriverState ChardevMarc-André Lureau
Pick a uniform chardev type name. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-01-25Merge remote-tracking branch 'remotes/mjt/tags/trivial-patches-fetch' into ↵Peter Maydell
staging trivial patches for 2017-01-24 # gpg: Signature made Tue 24 Jan 2017 20:27:08 GMT # gpg: using RSA key 0x701B4F6B1A693E59 # gpg: Good signature from "Michael Tokarev <mjt@tls.msk.ru>" # gpg: aka "Michael Tokarev <mjt@corpit.ru>" # gpg: aka "Michael Tokarev <mjt@debian.org>" # Primary key fingerprint: 6EE1 95D1 886E 8FFB 810D 4324 457C E0A0 8044 65C5 # Subkey fingerprint: 7B73 BAD6 8BE7 A2C2 8931 4B22 701B 4F6B 1A69 3E59 * remotes/mjt/tags/trivial-patches-fetch: (31 commits) hw/isa/isa-bus: Set category of the "isabus-bridge" device usb: Set category and description of the MTP device gdbstub.c: update old error report statements gdbstub.c: fix GDB connection segfault caused by empty machines scsi-disk: add 'fall through' comment to switch VERIFY cases Drop duplicate display option documentation hw/display/framebuffer.c: Avoid overflow for framebuffers > 4GB win32: use glib gpoll if glib >= 2.50 util/mmap-alloc: refactor a little bit for readability util/mmap-alloc: check parameter before using vfio: remove a duplicated word in comments docs: sync pci-ids.txt disas/cris.c: Fix Coverity warning about unchecked NULL lm32: milkymist-tmu2: fix another integer overflow hw/i386/kvmvapic: Remove dead code in patch_hypercalls() doc/usb2: fix typo qga: fix erroneous argument to strerror block: remove dead check pci-assign: avoid pointless stat qemu-img: remove dead check ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-01-24hw/display/framebuffer.c: Avoid overflow for framebuffers > 4GBPeter Maydell
Coverity points out that calculating src_len by multiplying src_width by rows could overflow. This can only happen in the implausible case of a framebuffer larger than 4GB, but we may as well fix it, placating Coverity. (CID1005515) Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2017-01-24lm32: milkymist-tmu2: fix another integer overflowPeter Maydell
Don't truncate the multiplication and do a 64 bit one instead because the result is stored in a 64 bit variable. This fixes a similar coverity warning to commit 237a8650d640, in a similar way, and is the other half of the fix for coverity CID 1167561. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Acked-by: Michael Walle <michael@walle.cc> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2017-01-24hw: Fix typos found by codespellStefan Weil
Signed-off-by: Stefan Weil <sw@weilnetz.de> Acked-by: Alistair Francis <alistair.francis@xilinx.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2017-01-24migration: disallow migrate_add_blocker during migrationAshijeet Acharya
If a migration is already in progress and somebody attempts to add a migration blocker, this should rightly fail. Add an errp parameter and a retcode return value to migrate_add_blocker. Signed-off-by: John Snow <jsnow@redhat.com> Signed-off-by: Ashijeet Acharya <ashijeetacharya@gmail.com> Message-Id: <1484566314-3987-5-git-send-email-ashijeetacharya@gmail.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Acked-by: Greg Kurz <groug@kaod.org> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Merged with recent 'Allow invtsc migration' change
2017-01-24migration: extend VMStateInfoJianjun Duan
Current migration code cannot handle some data structures such as QTAILQ in qemu/queue.h. Here we extend the signatures of put/get in VMStateInfo so that customized handling is supported. put now will return int type. Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Jianjun Duan <duanj@linux.vnet.ibm.com> Message-Id: <1484852453-12728-2-git-send-email-duanj@linux.vnet.ibm.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
2017-01-11virtio-gpu: tag as not hotpluggableGerd Hoffmann
qemu can't hotplug display devices. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Message-id: 1483970138-20360-1-git-send-email-kraxel@redhat.com
2017-01-11virtio-gpu: Fix memory leak in virtio_gpu_load()Peter Maydell
Coverity points out that if we fail in the "creating resources" loop in virtio_gpu_load() we will leak various resources (CID 1356431). Failing a VM load is going to leave the simulation in a complete mess, but we can tidy up to the point that a full system reset should get us back to sanity. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1483969123-14839-3-git-send-email-peter.maydell@linaro.org Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-01-11virtio-gpu: Recalculate VirtIOGPU::hostmem on VM loadPeter Maydell
The 'hostmem' field in VirtIOGPU is used to track the total memory used in pixmaps so that we can impose a maximum limit on it. However this field is neither migrated nor recalculated on VM load, which means that after a migration it will be incorrectly too low, which can allow the guest to use more pixmap memory than it should. The per-resource hostmem fields are not filled in either as we reallocate them in the load function. Recalculate the memory used for each pixmap and the total memory used as we reallocate the pixmaps in virtio_gpu_load(). Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1483969123-14839-2-git-send-email-peter.maydell@linaro.org Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-01-11display: cirrus: ignore source pitch value as needed in blit_is_unsafeBruce Rogers
Commit 4299b90 added a check which is too broad, given that the source pitch value is not required to be initialized for solid fill operations. This patch refines the blit_is_unsafe() check to ignore source pitch in that case. After applying the above commit as a security patch, we noticed the SLES 11 SP4 guest gui failed to initialize properly. Signed-off-by: Bruce Rogers <brogers@suse.com> Message-id: 20170109203520.5619-1-brogers@suse.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-01-11virtio-gpu: fix information leak in capset get dispatchLi Qiang
In virgl_cmd_get_capset function, it uses g_malloc to allocate a response struct to the guest. As the 'resp'struct hasn't been full initialized it will lead the 'resp->padding' field to the guest. Use g_malloc0 to avoid this. Signed-off-by: Li Qiang <liqiang6-s@360.cn> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-id: 58188cae.4a6ec20a.3d2d1.aff2@mx.google.com [ kraxel: resolved conflict ] Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-01-09i2c: Allow I2C devices to NAK start eventsCorey Minyard
Add a return value to the event handler. Some I2C devices will NAK if they have no data, so allow them to do this. This required the following changes: Go through all the event handlers and change them to return int and return 0. Modify i2c_start_transfer to terminate the transaction on a NAK. Modify smbus handing to not assert if a NAK occurs on a second operation, and terminate the transaction and return -1 instead. Add some information on semantics to I2CSlaveClass. Signed-off-by: Corey Minyard <cminyard@mvista.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-01-03virtio-gpu: fix memory leak in resource attach backingLi Qiang
In the resource attach backing function, everytime it will allocate 'res->iov' thus can leading a memory leak. This patch avoid this. Signed-off-by: Li Qiang <liq3ea@gmail.com> Message-id: 1483003721-65360-1-git-send-email-liq3ea@gmail.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-01-03virtio-gpu-3d: fix memory leak in resource attach backingLi Qiang
If the virgl_renderer_resource_attach_iov function fails the 'res_iovs' will be leaked. Add check of the return value to free the 'res_iovs' when failing. Signed-off-by: Li Qiang <liq3ea@gmail.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-id: 1482999086-59795-1-git-send-email-liq3ea@gmail.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-01-03virtio-gpu: call cleanup mapping function in resource destroyLi Qiang
If the guest destroy the resource before detach banking, the 'iov' and 'addrs' field in resource is not freed thus leading memory leak issue. This patch avoid this. Signed-off-by: Li Qiang <liq3ea@gmail.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-id: 1480386565-10077-1-git-send-email-liq3ea@gmail.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-12-20virtio-gpu: track and limit host memory allocationsGerd Hoffmann
This patch makes virtio-gpu track host memory allocations for ressources and applies a limit (configurable 256M by default). When exceeding the limit virtio-gpu throws VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY errors (like it already does today when pixman image allocations fail). This patch covers 2d mode only. For 3d mode we have to figure how we are going to handle this best. qemu doesn't track resources in case virglrenderer is used, so I guess we should extend virglrenderer to allow setting a limit, then let qemu set the limit and catch virgl_renderer_resource_create failures. Cc: Marc-André Lureau <marcandre.lureau@redhat.com> Cc: Dave Airlie <airlied@redhat.com> Cc: 李强 <liqiang6-s@360.cn> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 1480423356-22255-1-git-send-email-kraxel@redhat.com
2016-12-20display: virtio-gpu-3d: check virgl capabilities max_sizePrasad J Pandit
Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET' command, retrieves the maximum capabilities size to fill in the response object. It continues to fill in capabilities even if retrieved 'max_size' is zero(0), thus resulting in OOB access. Add check to avoid it. Reported-by: Zhenhao Hong <zhenhaohong@gmail.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Message-id: 20161214070156.23368-1-ppandit@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-12-05display: cirrus: check vga bits per pixel(bpp) valuePrasad J Pandit
In Cirrus CLGD 54xx VGA Emulator, if cirrus graphics mode is VGA, 'cirrus_get_bpp' returns zero(0), which could lead to a divide by zero error in while copying pixel data. The same could occur via blit pitch values. Add check to avoid it. Reported-by: Huawei PSIRT <psirt@huawei.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Message-id: 1476776717-24807-1-git-send-email-ppandit@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-12-05virtio-gpu: fix memory leak in update_cursor_data_virglLi Qiang
In update_cursor_data_virgl function, if the 'width'/ 'height' is not equal to current cursor's width/height it will return without free the 'data' allocated previously. This will lead a memory leak issue. This patch fix this issue. Signed-off-by: Li Qiang <liqiang6-s@360.cn> Message-id: 58187760.41d71c0a.cca75.4cb9@mx.google.com Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-12-05virtio-gpu: fix information leak in getting capset info dispatchLi Qiang
In virgl_cmd_get_capset_info dispatch function, the 'resp' hasn't been full initialized before writing to the guest. This will leak the 'resp.padding' and 'resp.hdr.padding' fieds to the guest. This patch fix this issue. Signed-off-by: Li Qiang <liqiang6-s@360.cn> Message-id: 5818661e.0860240a.77264.7a56@mx.google.com Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-12-05qxl: Only emit QXL_INTERRUPT_CLIENT_MONITORS_CONFIG on config changesChristophe Fergeau
Currently if the client keeps sending the same monitor config to QEMU/spice-server, QEMU will always raise a QXL_INTERRUPT_CLIENT_MONITORS_CONFIG regardless of whether there was a change or not. Guest-side (with fedora 25), the kernel QXL KMS driver will also forward the event to user-space without checking if there were actual changes. Next in line are gnome-shell/mutter (on a default f25 install), which will try to reconfigure everything without checking if there is anything to do. Where this gets ugly is that when applying the resolution changes, gnome-shell/mutter will call drmModeRmFB, drmModeAddFB, and drmModeSetCrtc, which will cause the primary surface to be destroyed and recreated by the QXL KMS driver. This in turn will cause the client to resend a client monitors config message, which will cause QEMU to reemit an interrupt with an unchanged monitors configuration, ... This causes https://bugzilla.redhat.com/show_bug.cgi?id=1266484 This commit makes sure that we only emit QXL_INTERRUPT_CLIENT_MONITORS_CONFIG when there are actual configuration changes the guest should act on. Signed-off-by: Christophe Fergeau <cfergeau@redhat.com> Message-id: 20161028144840.18326-1-cfergeau@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-10-31Merge remote-tracking branch 'remotes/sstabellini/tags/xen-20161028-tag' ↵Peter Maydell
into staging Xen 2016/10/28 # gpg: Signature made Sat 29 Oct 2016 02:03:42 BST # gpg: using RSA key 0x894F8F4870E1AE90 # gpg: Good signature from "Stefano Stabellini <sstabellini@kernel.org>" # gpg: aka "Stefano Stabellini <stefano.stabellini@eu.citrix.com>" # Primary key fingerprint: D04E 33AB A51F 67BA 07D3 0AEA 894F 8F48 70E1 AE90 * remotes/sstabellini/tags/xen-20161028-tag: xen: Rename xen_be_del_xendev xen: Rename xen_be_find_xendev xen: Rename xen_be_evtchn_event xen: Rename xen_be_send_notify xen: Rename xen_be_unbind_evtchn xen: Rename xen_be_printf to xen_pv_printf xen: Move xenstore cleanup and mkdir functions xen: Prepare xendev qtail to be shared with frontends xen: Move evtchn functions to xen_pvdev.c xen: Move xenstore_update to xen_pvdev.c xen: Create a new file xen_pvdev.c xen: Fix coding style warnings xen: Fix coding style errors Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2016-10-28xen: Rename xen_be_find_xendevEmil Condrea
Prepare xen_be_find_xendev to be shared with frontends: * xen_be_find_xendev -> xen_pv_find_xendev Signed-off-by: Emil Condrea <emilcondrea@gmail.com> Signed-off-by: Stefano Stabellini <sstabellini@kernel.org> Signed-off-by: Quan Xu <xuquan8@huawei.com> Acked-by: Anthony PERARD <anthony.perard@citrix.com>
2016-10-28xen: Rename xen_be_send_notifyEmil Condrea
Prepare xen_be_send_notify to be shared with frontends: * xen_be_send_notify -> xen_pv_send_notify Signed-off-by: Emil Condrea <emilcondrea@gmail.com> Signed-off-by: Stefano Stabellini <sstabellini@kernel.org> Signed-off-by: Quan Xu <xuquan8@huawei.com> Acked-by: Anthony PERARD <anthony.perard@citrix.com>
2016-10-28xen: Rename xen_be_unbind_evtchnEmil Condrea
Prepare xen_be_unbind_evtchn to be shared with frontends: * xen_be_unbind_evtchn -> xen_pv_unbind_evtchn Signed-off-by: Emil Condrea <emilcondrea@gmail.com> Signed-off-by: Stefano Stabellini <sstabellini@kernel.org> Signed-off-by: Quan Xu <xuquan8@huawei.com> Acked-by: Anthony PERARD <anthony.perard@citrix.com>
2016-10-28xen: Rename xen_be_printf to xen_pv_printfEmil Condrea
Prepare xen_be_printf to be used by both backend and frontends: * xen_be_printf -> xen_pv_printf Signed-off-by: Emil Condrea <emilcondrea@gmail.com> Signed-off-by: Stefano Stabellini <sstabellini@kernel.org> Signed-off-by: Quan Xu <xuquan8@huawei.com> Acked-by: Anthony PERARD <anthony.perard@citrix.com>
2016-10-28xen: Fix coding style warningsEmil Condrea
Fixes: * WARNING: line over 80 characters Signed-off-by: Emil Condrea <emilcondrea@gmail.com> Signed-off-by: Stefano Stabellini <sstabellini@kernel.org> Signed-off-by: Quan Xu <xuquan8@huawei.com> Acked-by: Anthony PERARD <anthony.perard@citrix.com>
2016-10-28xen: Fix coding style errorsEmil Condrea
Fixes the following errors: * ERROR: line over 90 characters * ERROR: code indent should never use tabs * ERROR: space prohibited after that open square bracket '[' * ERROR: do not initialise statics to 0 or NULL * ERROR: "(foo*)" should be "(foo *)" Signed-off-by: Emil Condrea <emilcondrea@gmail.com> Signed-off-by: Stefano Stabellini <sstabellini@kernel.org> Signed-off-by: Quan Xu <xuquan8@huawei.com> Acked-by: Anthony PERARD <anthony.perard@citrix.com>
2016-10-28lm32: milkymist-tmu2: fix integer overflowMichael Walle
Don't truncate the multiplication and do a 64 bit one instead because because the result is stored in a 64 bit variable. Spotted by coverity, CID 1167561. Signed-off-by: Michael Walle <michael@walle.cc> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>