From nobody Fri Apr 26 13:34:06 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1486973972648244.1877337752469; Mon, 13 Feb 2017 00:19:32 -0800 (PST) Received: from localhost ([::1]:55066 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cdBr9-0005m6-Au for importer@patchew.org; Mon, 13 Feb 2017 03:19:31 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54355) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cdBpR-0004vc-EY for qemu-devel@nongnu.org; Mon, 13 Feb 2017 03:17:46 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cdBpN-0004b3-0G for qemu-devel@nongnu.org; Mon, 13 Feb 2017 03:17:44 -0500 Received: from mx1.redhat.com ([209.132.183.28]:36786) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cdBpM-0004ZL-RO for qemu-devel@nongnu.org; Mon, 13 Feb 2017 03:17:40 -0500 Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 53A6861D06; Mon, 13 Feb 2017 08:17:40 +0000 (UTC) Received: from nilsson.home.kraxel.org (ovpn-116-154.ams2.redhat.com [10.36.116.154]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1D8Hd1R015930; Mon, 13 Feb 2017 03:17:39 -0500 Received: by nilsson.home.kraxel.org (Postfix, from userid 500) id D230E80DC2; Mon, 13 Feb 2017 09:17:36 +0100 (CET) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Mon, 13 Feb 2017 09:17:26 +0100 Message-Id: <1486973851-21645-2-git-send-email-kraxel@redhat.com> In-Reply-To: <1486973851-21645-1-git-send-email-kraxel@redhat.com> References: <1486973851-21645-1-git-send-email-kraxel@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Mon, 13 Feb 2017 08:17:40 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 1/6] virtio-gpu: fix memory leak in set scanout X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Li Qiang , Gerd Hoffmann , "Michael S. Tsirkin" Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" From: Li Qiang In virtio_gpu_set_scanout function, when creating the 'rect' its refcount is set to 2, by pixman_image_create_bits and qemu_create_displaysurface_pixman function. This can lead a memory leak issues. This patch avoid this issue. Signed-off-by: Li Qiang Reviewed-by: Marc-Andr=C3=A9 Lureau Message-id: 5884626f.5b2f6b0a.1bfff.3037@mx.google.com Signed-off-by: Gerd Hoffmann --- hw/display/virtio-gpu.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c index 444ca06..9b530ab 100644 --- a/hw/display/virtio-gpu.c +++ b/hw/display/virtio-gpu.c @@ -608,6 +608,7 @@ static void virtio_gpu_set_scanout(VirtIOGPU *g, cmd->error =3D VIRTIO_GPU_RESP_ERR_UNSPEC; return; } + pixman_image_unref(rect); dpy_gfx_replace_surface(g->scanout[ss.scanout_id].con, scanout->ds= ); } =20 --=20 1.8.3.1 From nobody Fri Apr 26 13:34:06 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1486974189990137.86523186852048; Mon, 13 Feb 2017 00:23:09 -0800 (PST) Received: from localhost ([::1]:55084 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cdBud-0000eC-UP for importer@patchew.org; Mon, 13 Feb 2017 03:23:07 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54354) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cdBpR-0004vb-EQ for qemu-devel@nongnu.org; Mon, 13 Feb 2017 03:17:46 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cdBpN-0004b2-0N for qemu-devel@nongnu.org; Mon, 13 Feb 2017 03:17:44 -0500 Received: from mx1.redhat.com ([209.132.183.28]:54984) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cdBpM-0004ZM-RR for qemu-devel@nongnu.org; Mon, 13 Feb 2017 03:17:40 -0500 Received: from smtp.corp.redhat.com (int-mx16.intmail.prod.int.phx2.redhat.com [10.5.11.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 6780A128D for ; Mon, 13 Feb 2017 08:17:40 +0000 (UTC) Received: from nilsson.home.kraxel.org (ovpn-116-154.ams2.redhat.com [10.36.116.154]) by smtp.corp.redhat.com (Postfix) with ESMTP id 197392D5DA; Mon, 13 Feb 2017 08:17:39 +0000 (UTC) Received: by nilsson.home.kraxel.org (Postfix, from userid 500) id E6C9480DE7; Mon, 13 Feb 2017 09:17:36 +0100 (CET) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Mon, 13 Feb 2017 09:17:27 +0100 Message-Id: <1486973851-21645-3-git-send-email-kraxel@redhat.com> In-Reply-To: <1486973851-21645-1-git-send-email-kraxel@redhat.com> References: <1486973851-21645-1-git-send-email-kraxel@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.74 on 10.5.11.28 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Mon, 13 Feb 2017 08:17:40 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 2/6] virtio-gpu: fix resource leak in virgl_cmd_resource_unref X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Gerd Hoffmann , "Michael S. Tsirkin" Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" When the guest sends VIRTIO_GPU_CMD_RESOURCE_UNREF without detaching the backing storage beforehand (VIRTIO_GPU_CMD_RESOURCE_DETACH_BACKING) we'll leak memory. This patch fixes it for 3d mode, simliar to the 2d mode fix in commit "b8e2392 virtio-gpu: call cleanup mapping function in resource destroy". Reported-by: =E6=9D=8E=E5=BC=BA Signed-off-by: Gerd Hoffmann Message-id: 1485167210-4757-1-git-send-email-kraxel@redhat.com --- hw/display/virtio-gpu-3d.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c index f96a0c2..ecb09d1 100644 --- a/hw/display/virtio-gpu-3d.c +++ b/hw/display/virtio-gpu-3d.c @@ -77,10 +77,18 @@ static void virgl_cmd_resource_unref(VirtIOGPU *g, struct virtio_gpu_ctrl_command *cmd) { struct virtio_gpu_resource_unref unref; + struct iovec *res_iovs =3D NULL; + int num_iovs =3D 0; =20 VIRTIO_GPU_FILL_CMD(unref); trace_virtio_gpu_cmd_res_unref(unref.resource_id); =20 + virgl_renderer_resource_detach_iov(unref.resource_id, + &res_iovs, + &num_iovs); + if (res_iovs !=3D NULL && num_iovs !=3D 0) { + virtio_gpu_cleanup_mapping_iov(res_iovs, num_iovs); + } virgl_renderer_resource_unref(unref.resource_id); } =20 --=20 1.8.3.1 From nobody Fri Apr 26 13:34:06 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1486974187375667.5720887548673; Mon, 13 Feb 2017 00:23:07 -0800 (PST) Received: from localhost ([::1]:55083 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cdBub-0000cQ-ND for importer@patchew.org; Mon, 13 Feb 2017 03:23:05 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54357) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cdBpR-0004ve-Ea for qemu-devel@nongnu.org; Mon, 13 Feb 2017 03:17:46 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cdBpN-0004bM-3Y for qemu-devel@nongnu.org; Mon, 13 Feb 2017 03:17:44 -0500 Received: from mx1.redhat.com ([209.132.183.28]:54986) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cdBpM-0004ZR-RK for qemu-devel@nongnu.org; Mon, 13 Feb 2017 03:17:41 -0500 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 76AC53A7697 for ; Mon, 13 Feb 2017 08:17:40 +0000 (UTC) Received: from nilsson.home.kraxel.org (ovpn-116-154.ams2.redhat.com [10.36.116.154]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1D8HdZX016598; Mon, 13 Feb 2017 03:17:39 -0500 Received: by nilsson.home.kraxel.org (Postfix, from userid 500) id 0470B80DE9; Mon, 13 Feb 2017 09:17:37 +0100 (CET) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Mon, 13 Feb 2017 09:17:28 +0100 Message-Id: <1486973851-21645-4-git-send-email-kraxel@redhat.com> In-Reply-To: <1486973851-21645-1-git-send-email-kraxel@redhat.com> References: <1486973851-21645-1-git-send-email-kraxel@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Mon, 13 Feb 2017 08:17:40 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 3/6] vga: replace debug printf with trace points X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Gerd Hoffmann Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Signed-off-by: Gerd Hoffmann Reviewed-by: Laurent Vivier Reviewed-by: Philippe Mathieu-Daud=C3=A9 Message-id: 1486561893-26470-1-git-send-email-kraxel@redhat.com --- hw/display/trace-events | 6 ++++++ hw/display/vga.c | 27 ++++----------------------- 2 files changed, 10 insertions(+), 23 deletions(-) diff --git a/hw/display/trace-events b/hw/display/trace-events index aadb612..26910e2 100644 --- a/hw/display/trace-events +++ b/hw/display/trace-events @@ -119,3 +119,9 @@ qxl_set_client_capabilities_unsupported_by_revision(int= qid, int revision) "%d r qxl_render_blit(int32_t stride, int32_t left, int32_t right, int32_t top, = int32_t bottom) "stride=3D%d [%d, %d, %d, %d]" qxl_render_guest_primary_resized(int32_t width, int32_t height, int32_t st= ride, int32_t bytes_pp, int32_t bits_pp) "%dx%d, stride %d, bpp %d, depth %= d" qxl_render_update_area_done(void *cookie) "%p" + +# hw/display/vga.c +vga_std_read_io(uint32_t addr, uint32_t val) "addr 0x%x, val 0x%x" +vga_std_write_io(uint32_t addr, uint32_t val) "addr 0x%x, val 0x%x" +vga_vbe_read(uint32_t index, uint32_t val) "index 0x%x, val 0x%x" +vga_vbe_write(uint32_t index, uint32_t val) "index 0x%x, val 0x%x" diff --git a/hw/display/vga.c b/hw/display/vga.c index 2a88b3c..69c3e1d 100644 --- a/hw/display/vga.c +++ b/hw/display/vga.c @@ -34,12 +34,9 @@ #include "hw/xen/xen.h" #include "trace.h" =20 -//#define DEBUG_VGA //#define DEBUG_VGA_MEM //#define DEBUG_VGA_REG =20 -//#define DEBUG_BOCHS_VBE - /* 16 state changes per vertical frame @60 Hz */ #define VGA_TEXT_CURSOR_PERIOD_MS (1000 * 2 * 16 / 60) =20 @@ -428,9 +425,7 @@ uint32_t vga_ioport_read(void *opaque, uint32_t addr) break; } } -#if defined(DEBUG_VGA) - printf("VGA: read addr=3D0x%04x data=3D0x%02x\n", addr, val); -#endif + trace_vga_std_read_io(addr, val); return val; } =20 @@ -443,9 +438,7 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint= 32_t val) if (vga_ioport_invalid(s, addr)) { return; } -#ifdef DEBUG_VGA - printf("VGA: write addr=3D0x%04x data=3D0x%02x\n", addr, val); -#endif + trace_vga_std_write_io(addr, val); =20 switch(addr) { case VGA_ATT_W: @@ -733,9 +726,7 @@ uint32_t vbe_ioport_read_data(void *opaque, uint32_t ad= dr) } else { val =3D 0; } -#ifdef DEBUG_BOCHS_VBE - printf("VBE: read index=3D0x%x val=3D0x%x\n", s->vbe_index, val); -#endif + trace_vga_vbe_read(s->vbe_index, val); return val; } =20 @@ -750,9 +741,7 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr,= uint32_t val) VGACommonState *s =3D opaque; =20 if (s->vbe_index <=3D VBE_DISPI_INDEX_NB) { -#ifdef DEBUG_BOCHS_VBE - printf("VBE: write index=3D0x%x val=3D0x%x\n", s->vbe_index, val); -#endif + trace_vga_vbe_write(s->vbe_index, val); switch(s->vbe_index) { case VBE_DISPI_INDEX_ID: if (val =3D=3D VBE_DISPI_ID0 || @@ -1543,17 +1532,9 @@ static void vga_draw_graphic(VGACommonState *s, int = full_update) height, format, s->line_offset, s->vram_ptr + (s->start_addr * 4)); dpy_gfx_replace_surface(s->con, surface); -#ifdef DEBUG_VGA - printf("VGA: Using shared surface for depth=3D%d swap=3D%d\n", - depth, byteswap); -#endif } else { qemu_console_resize(s->con, disp_width, height); surface =3D qemu_console_surface(s->con); -#ifdef DEBUG_VGA - printf("VGA: Using shadow surface for depth=3D%d swap=3D%d\n", - depth, byteswap); -#endif } s->last_scr_width =3D disp_width; s->last_scr_height =3D height; --=20 1.8.3.1 From nobody Fri Apr 26 13:34:06 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1486974372212366.9955295426777; Mon, 13 Feb 2017 00:26:12 -0800 (PST) Received: from localhost ([::1]:55101 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cdBxZ-00034Z-RU for importer@patchew.org; Mon, 13 Feb 2017 03:26:09 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54351) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cdBpR-0004vY-EQ for qemu-devel@nongnu.org; Mon, 13 Feb 2017 03:17:47 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cdBpN-0004bd-Bv for qemu-devel@nongnu.org; Mon, 13 Feb 2017 03:17:44 -0500 Received: from mx1.redhat.com ([209.132.183.28]:43422) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cdBpN-0004ZK-6M for qemu-devel@nongnu.org; Mon, 13 Feb 2017 03:17:41 -0500 Received: from smtp.corp.redhat.com (int-mx16.intmail.prod.int.phx2.redhat.com [10.5.11.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 0EF9AC05B1C7 for ; Mon, 13 Feb 2017 08:17:40 +0000 (UTC) Received: from nilsson.home.kraxel.org (ovpn-116-154.ams2.redhat.com [10.36.116.154]) by smtp.corp.redhat.com (Postfix) with ESMTP id B15652D5DA; Mon, 13 Feb 2017 08:17:39 +0000 (UTC) Received: by nilsson.home.kraxel.org (Postfix, from userid 500) id 17213807FC; Mon, 13 Feb 2017 09:17:37 +0100 (CET) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Mon, 13 Feb 2017 09:17:29 +0100 Message-Id: <1486973851-21645-5-git-send-email-kraxel@redhat.com> In-Reply-To: <1486973851-21645-1-git-send-email-kraxel@redhat.com> References: <1486973851-21645-1-git-send-email-kraxel@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.74 on 10.5.11.28 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Mon, 13 Feb 2017 08:17:40 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 4/6] cirrus: replace debug printf with trace points X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Gerd Hoffmann Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Signed-off-by: Gerd Hoffmann Reviewed-by: Laurent Vivier Reviewed-by: Philippe Mathieu-Daud=C3=A9 Message-id: 1486561893-26470-2-git-send-email-kraxel@redhat.com --- hw/display/cirrus_vga.c | 11 +++++------ hw/display/trace-events | 6 ++++++ 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c index 16f27e8..b272a70 100644 --- a/hw/display/cirrus_vga.c +++ b/hw/display/cirrus_vga.c @@ -28,6 +28,7 @@ */ #include "qemu/osdep.h" #include "qapi/error.h" +#include "trace.h" #include "hw/hw.h" #include "hw/pci/pci.h" #include "ui/console.h" @@ -1852,12 +1853,14 @@ static uint8_t cirrus_mmio_blt_read(CirrusVGAState = * s, unsigned address) break; } =20 + trace_vga_cirrus_write_blt(address, value); return (uint8_t) value; } =20 static void cirrus_mmio_blt_write(CirrusVGAState * s, unsigned address, uint8_t value) { + trace_vga_cirrus_write_blt(address, value); switch (address) { case (CIRRUS_MMIO_BLTBGCOLOR + 0): cirrus_vga_write_gr(s, 0x00, value); @@ -2607,9 +2610,7 @@ static uint64_t cirrus_vga_ioport_read(void *opaque, = hwaddr addr, break; } } -#if defined(DEBUG_VGA) - printf("VGA: read addr=3D0x%04x data=3D0x%02x\n", addr, val); -#endif + trace_vga_cirrus_read_io(addr, val); return val; } =20 @@ -2626,9 +2627,7 @@ static void cirrus_vga_ioport_write(void *opaque, hwa= ddr addr, uint64_t val, if (vga_ioport_invalid(s, addr)) { return; } -#ifdef DEBUG_VGA - printf("VGA: write addr=3D0x%04x data=3D0x%02x\n", addr, val); -#endif + trace_vga_cirrus_write_io(addr, val); =20 switch (addr) { case 0x3c0: diff --git a/hw/display/trace-events b/hw/display/trace-events index 26910e2..3e896d2 100644 --- a/hw/display/trace-events +++ b/hw/display/trace-events @@ -125,3 +125,9 @@ vga_std_read_io(uint32_t addr, uint32_t val) "addr 0x%x= , val 0x%x" vga_std_write_io(uint32_t addr, uint32_t val) "addr 0x%x, val 0x%x" vga_vbe_read(uint32_t index, uint32_t val) "index 0x%x, val 0x%x" vga_vbe_write(uint32_t index, uint32_t val) "index 0x%x, val 0x%x" + +# hw/display/cirrus_vga.c +vga_cirrus_read_io(uint32_t addr, uint32_t val) "addr 0x%x, val 0x%x" +vga_cirrus_write_io(uint32_t addr, uint32_t val) "addr 0x%x, val 0x%x" +vga_cirrus_read_blt(uint32_t offset, uint32_t val) "offset 0x%x, val 0x%x" +vga_cirrus_write_blt(uint32_t offset, uint32_t val) "offset 0x%x, val 0x%x" --=20 1.8.3.1 From nobody Fri Apr 26 13:34:06 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1486973973016867.417905683709; Mon, 13 Feb 2017 00:19:33 -0800 (PST) Received: from localhost ([::1]:55067 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cdBr9-0005mZ-NK for importer@patchew.org; Mon, 13 Feb 2017 03:19:31 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54356) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cdBpR-0004vd-Ea for qemu-devel@nongnu.org; Mon, 13 Feb 2017 03:17:47 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cdBpN-0004br-MQ for qemu-devel@nongnu.org; Mon, 13 Feb 2017 03:17:44 -0500 Received: from mx1.redhat.com ([209.132.183.28]:36030) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cdBpN-0004ae-EL for qemu-devel@nongnu.org; Mon, 13 Feb 2017 03:17:41 -0500 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A373C4E4C7; Mon, 13 Feb 2017 08:17:41 +0000 (UTC) Received: from nilsson.home.kraxel.org (ovpn-116-154.ams2.redhat.com [10.36.116.154]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1D8He3w016605; Mon, 13 Feb 2017 03:17:40 -0500 Received: by nilsson.home.kraxel.org (Postfix, from userid 500) id 2623680FCB; Mon, 13 Feb 2017 09:17:37 +0100 (CET) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Mon, 13 Feb 2017 09:17:30 +0100 Message-Id: <1486973851-21645-6-git-send-email-kraxel@redhat.com> In-Reply-To: <1486973851-21645-1-git-send-email-kraxel@redhat.com> References: <1486973851-21645-1-git-send-email-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Mon, 13 Feb 2017 08:17:41 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 5/6] cirrus: fix patterncopy checks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Wolfgang Bumiller , Gerd Hoffmann , "Dr. David Alan Gilbert" Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The blit_region_is_unsafe checks don't work correctly for the patterncopy source. It's a fixed-sized region, which doesn't depend on cirrus_blt_{width,height}. So go do the check in cirrus_bitblt_common_patterncopy instead, then tell blit_is_unsafe that it doesn't need to verify the source. Also handle the case where we blit from cirrus_bitbuf correctly. This patch replaces 5858dd1801883309bdd208d72ddb81c4e9fee30c. Security impact: I think for the most part error on the safe side this time, refusing blits which should have been allowed. Only exception is placing the blit source at the end of the video ram, so cirrus_blt_srcaddr + 256 goes beyond the end of video memory. But even in that case I'm not fully sure this actually allows read access to host memory. To trick the commit 5858dd18 security checks one has to pick very small cirrus_blt_{width,height} values, which in turn implies only a fraction of the blit source will actually be used. Cc: Wolfgang Bumiller Cc: Dr. David Alan Gilbert Signed-off-by: Gerd Hoffmann Reviewed-by: Dr. David Alan Gilbert Reviewed-by: Wolfgang Bumiller Reviewed-by: Laurent Vivier Message-id: 1486645341-5010-1-git-send-email-kraxel@redhat.com --- hw/display/cirrus_vga.c | 36 ++++++++++++++++++++++++++++++------ 1 file changed, 30 insertions(+), 6 deletions(-) diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c index b272a70..1bcf9a4 100644 --- a/hw/display/cirrus_vga.c +++ b/hw/display/cirrus_vga.c @@ -684,14 +684,39 @@ static void cirrus_invalidate_region(CirrusVGAState *= s, int off_begin, } } =20 -static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s, - const uint8_t * src) +static int cirrus_bitblt_common_patterncopy(CirrusVGAState *s, bool videos= rc) { + uint32_t patternsize; uint8_t *dst; + uint8_t *src; =20 dst =3D s->vga.vram_ptr + s->cirrus_blt_dstaddr; =20 - if (blit_is_unsafe(s, false, true)) { + if (videosrc) { + switch (s->vga.get_bpp(&s->vga)) { + case 8: + patternsize =3D 64; + break; + case 15: + case 16: + patternsize =3D 128; + break; + case 24: + case 32: + default: + patternsize =3D 256; + break; + } + s->cirrus_blt_srcaddr &=3D ~(patternsize - 1); + if (s->cirrus_blt_srcaddr + patternsize > s->vga.vram_size) { + return 0; + } + src =3D s->vga.vram_ptr + s->cirrus_blt_srcaddr; + } else { + src =3D s->cirrus_bltbuf; + } + + if (blit_is_unsafe(s, true, true)) { return 0; } =20 @@ -732,8 +757,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, i= nt blt_rop) =20 static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s) { - return cirrus_bitblt_common_patterncopy(s, s->vga.vram_ptr + - (s->cirrus_blt_srcaddr & ~7)); + return cirrus_bitblt_common_patterncopy(s, true); } =20 static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int = h) @@ -832,7 +856,7 @@ static void cirrus_bitblt_cputovideo_next(CirrusVGAStat= e * s) =20 if (s->cirrus_srccounter > 0) { if (s->cirrus_blt_mode & CIRRUS_BLTMODE_PATTERNCOPY) { - cirrus_bitblt_common_patterncopy(s, s->cirrus_bltbuf); + cirrus_bitblt_common_patterncopy(s, false); the_end: s->cirrus_srccounter =3D 0; cirrus_bitblt_reset(s); --=20 1.8.3.1 From nobody Fri Apr 26 13:34:06 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1486974190836470.6720658924705; Mon, 13 Feb 2017 00:23:10 -0800 (PST) Received: from localhost ([::1]:55085 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cdBuf-0000fy-Gg for importer@patchew.org; Mon, 13 Feb 2017 03:23:09 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54353) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cdBpR-0004va-ER for qemu-devel@nongnu.org; Mon, 13 Feb 2017 03:17:46 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cdBpN-0004bl-Gs for qemu-devel@nongnu.org; Mon, 13 Feb 2017 03:17:44 -0500 Received: from mx1.redhat.com ([209.132.183.28]:58360) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cdBpN-0004a8-8Q for qemu-devel@nongnu.org; Mon, 13 Feb 2017 03:17:41 -0500 Received: from smtp.corp.redhat.com (int-mx16.intmail.prod.int.phx2.redhat.com [10.5.11.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7804B81239; Mon, 13 Feb 2017 08:17:41 +0000 (UTC) Received: from nilsson.home.kraxel.org (ovpn-116-154.ams2.redhat.com [10.36.116.154]) by smtp.corp.redhat.com (Postfix) with ESMTP id D749B2D5D4; Mon, 13 Feb 2017 08:17:40 +0000 (UTC) Received: by nilsson.home.kraxel.org (Postfix, from userid 500) id 3865680FD4; Mon, 13 Feb 2017 09:17:37 +0100 (CET) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Mon, 13 Feb 2017 09:17:31 +0100 Message-Id: <1486973851-21645-7-git-send-email-kraxel@redhat.com> In-Reply-To: <1486973851-21645-1-git-send-email-kraxel@redhat.com> References: <1486973851-21645-1-git-send-email-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.74 on 10.5.11.28 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Mon, 13 Feb 2017 08:17:41 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 6/6] Revert "cirrus: allow zero source pitch in pattern fill rops" X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Wolfgang Bumiller , Gerd Hoffmann , "Dr. David Alan Gilbert" Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" This reverts commit 5858dd1801883309bdd208d72ddb81c4e9fee30c. Conflicts: hw/display/cirrus_vga.c Cc: Wolfgang Bumiller Cc: Dr. David Alan Gilbert Signed-off-by: Gerd Hoffmann Reviewed-by: Dr. David Alan Gilbert Reviewed-by: Laurent Vivier Message-id: 1486645341-5010-2-git-send-email-kraxel@redhat.com --- hw/display/cirrus_vga.c | 26 ++++++++------------------ 1 file changed, 8 insertions(+), 18 deletions(-) diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c index 1bcf9a4..1deb520 100644 --- a/hw/display/cirrus_vga.c +++ b/hw/display/cirrus_vga.c @@ -273,6 +273,9 @@ static void cirrus_update_memory_access(CirrusVGAState = *s); static bool blit_region_is_unsafe(struct CirrusVGAState *s, int32_t pitch, int32_t addr) { + if (!pitch) { + return true; + } if (pitch < 0) { int64_t min =3D addr + ((int64_t)s->cirrus_blt_height - 1) * pitch @@ -291,11 +294,8 @@ static bool blit_region_is_unsafe(struct CirrusVGAStat= e *s, return false; } =20 -static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only, - bool zero_src_pitch_ok) +static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only) { - int32_t check_pitch; - /* should be the case, see cirrus_bitblt_start */ assert(s->cirrus_blt_width > 0); assert(s->cirrus_blt_height > 0); @@ -304,10 +304,6 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, b= ool dst_only, return true; } =20 - if (!s->cirrus_blt_dstpitch) { - return true; - } - if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch, s->cirrus_blt_dstaddr)) { return true; @@ -315,13 +311,7 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, b= ool dst_only, if (dst_only) { return false; } - - check_pitch =3D s->cirrus_blt_srcpitch; - if (!zero_src_pitch_ok && !check_pitch) { - check_pitch =3D s->cirrus_blt_width; - } - - if (blit_region_is_unsafe(s, check_pitch, + if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch, s->cirrus_blt_srcaddr)) { return true; } @@ -716,7 +706,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGASt= ate *s, bool videosrc) src =3D s->cirrus_bltbuf; } =20 - if (blit_is_unsafe(s, true, true)) { + if (blit_is_unsafe(s, true)) { return 0; } =20 @@ -735,7 +725,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, i= nt blt_rop) { cirrus_fill_t rop_func; =20 - if (blit_is_unsafe(s, true, true)) { + if (blit_is_unsafe(s, true)) { return 0; } rop_func =3D cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwid= th - 1]; @@ -835,7 +825,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, i= nt src, int w, int h) =20 static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s) { - if (blit_is_unsafe(s, false, false)) + if (blit_is_unsafe(s, false)) return 0; =20 return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr, --=20 1.8.3.1