| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Report:
1. Condition surface, taking false branch
406 if (surface && ssd->surface &&
407 surface_width(surface) == pixman_image_get_width(ssd->surface) &&
408 surface_height(surface) == pixman_image_get_height(ssd->surface)) {
409 /* no-resize fast path: just swap backing store */
...
10. alias_transfer: Assigning: ssd->ds = surface.
440 ssd->ds = surface;
11. var_deref_op: Dereferencing null pointer ssd->ds.
CID 1264334 (#1 of 1): Dereference after null check (FORWARD_NULL)
441 ssd->surface = pixman_image_ref(ssd->ds->image);
Fix:
Move code block dereferencing ssd->ds into the already existing
if (ssd->ds) { ... } block.
Cc: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Just hook up qemu_pixman_check_format.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Add fast path to qemu_spice_display_switch in case old and new
displaysurface have identical size (happens with display panning
and page flipping). We just swap the backing store then and don't
go through the whole process of deleting and creating the primary
surface.
To simplify the code a bit move mirror surface allocation to
qemu_spice_display_switch().
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Calling directly doesn't work due to the qxl-render code running in
spice server thread context. Meanwhile bottom half scheduling is
thread-safe though, so we can use that to kick a cursor update in
main i/o thread context.
Cc: Marc-André Lureau <marcandre.lureau@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Related spice-only bug. We have a fixed 16 MB buffer here, being
presented to the spice-server as qxl video memory in case spice is
used with a non-qxl card. It's also used with qxl in vga mode.
When using display resolutions requiring more than 16 MB of memory we
are going to overflow that buffer. In theory the guest can write,
indirectly via spice-server. The spice-server clears the memory after
setting a new video mode though, triggering a segfault in the overflow
case, so qemu crashes before the guest has a chance to do something
evil.
Fix that by switching to dynamic allocation for the buffer.
CVE-2014-3615
Cc: qemu-stable@nongnu.org
Cc: secalert@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
|
Tested-by: Luiz Capitulino <lcapitulino@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1403244764-8622-1-git-send-email-kraxel@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
|
So you'll have a mouse pointer when running non-qxl gfx cards with
mouse pointer support (virtio-gpu, IIRC vmware too).
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Reported-by: Fabio Fantoni <fabio.fantoni@m2r.biz>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
This patch fixes spice display initialization to handle
multihead properly.
spice-core now keeps track of which QemuConsole has a spice
display channel attached to it and which has not. It also
manages display channel ids.
spice-display looks at all QemuConsoles and will pick up any
graphic console not yet bound to a spice channel (which in practice
are all non-qxl graphic devices).
Result is that
(a) you'll get a spice client window for each graphical device
now (first only without this patch), and
(b) mixing qxl and non-qxl vga cards works properly.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
And s/__FUNCTION__/__func__/ while being at it.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
hose API are deprecated since 0.11, and qemu depends on 0.12 already.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
We don't have multiple DisplayStates any more,
so passing it in as argument is not needed.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
DisplayChangeListener gets a new QemuConsole field, which can be set to
non-NULL before registering. This will pin the QemuConsole, so that
particular DisplayChangeListener will not follow console switches.
spice+gtk (which don't support text console input anyway) are switched
over to be pinned to console 0, which usually is the graphical display.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Add QemuConsole parameter to vga_hw_*, so the interface allows to update
non-active consoles (the actual code can't handle this yet, see next
patch). Passing NULL is allowed and updates the active console, like
the functions do today.
While touching all vga_hw_* calls anyway rename that to the functions to
hardware-neutral graphics_hw_*
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Use QemuConsole instead. Updates interfaces in console.[ch] and adapts
gfx hardware emulation code.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Now that nobody depends on DisplayState in DisplayChangeListener
callbacks any more we can remove the parameter from all callbacks.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Rework DisplayStateListener callbacks to not use the DisplayState
any more.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Replace the dpy_gfx_resize and dpy_gfx_setdata DisplayChangeListener
callbacks with a dpy_gfx_switch callback which notifies the ui code
when the framebuffer backing storage changes.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
DisplayChangeListener is passed now to all DisplayChangeListenerOps
callbacks, so we can use that to access the spice display state and
kill the sdpy global variable.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Split callbacks into separate Ops struct. Pass DisplayChangeListener
pointer as first argument to all callbacks. Uninline a bunch of
display functions and move them from console.h to console.c
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
Otherwise qemu crashes with non-qxl graphics cards.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Register displaychangelistener last, after spice is fully initialized,
otherwise we may hit NULL pointer dereferences when qemu starts calling
our callbacks.
Commit e250d949feb1334828f27f0d145c35f29c4b7639 triggers this bug.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Switch over spice-display.c to use the pixman library
instead of the home-grown pflib bits.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Stop abusing displaysurface fields for text mode displays.
(bpp = 0, width = cols, height = lines).
Add flags to displaystate indicating whenever text mode display
(curses) or gfx mode displays (sdl, vnc, ...) are present.
Add separate displaychangelistener callbacks for text / gfx mode
resize & updates.
This allows to enable gfx and txt diplays at the same time and also
paves the way for more cleanups in the future.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
When adding DisplayChangeListeners the set_mouse and cursor_define
callbacks have been left in DisplayState for some reason. Fix it.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
With the next qemu version (1.3) we are going to bump the qxl device
revision to 4. The new features available require a recent spice-server
version, so raise up the bar. Otherwise we would end up with different
qxl revisions depending on the spice-server version installed, which
would be a major PITA when it comes to compat properties.
Clear out a big bunch of #ifdefs which are not needed any more.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
* stefanha/trivial-patches:
configure: fix seccomp check
arch_init.c: add missing '%' symbols before PRIu64 in debug printfs
kvm: Fix warning from static code analysis
qapi: Fix enumeration typo error
console: Clean up bytes per pixel calculation
Fix copy&paste typos in documentation comments
linux-user: Remove #if 0'd cpu_get_real_ticks() definition
ui: Fix spelling in comment (ressource -> resource)
Spelling fixes in comments and macro names (ressource -> resource)
Fix spelling (licenced -> licensed) in GPL
Spelling fixes in comments and documentation
srp: Don't use QEMU_PACKED for single elements of a structured type
|
|
The function is called interface_release_resource.
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
|
|
when creating screen updates go compare the current guest screen
against the mirror (which holds the most recent update sent), then
only create updates for the screen areas which did actually change.
[ v2: drop redundant qemu_spice_create_one_update call ]
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Create a screen mirror, keep there a copy of the most recent update
passed on to spice-server.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Creating one function which creates a single update for a given
rectangle. And one (for now) pretty simple wrapper around it to
queue up screen updates for the dirty region.
[ v2: also update bounding box ]
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
QXLWorker->start/stop are deprecated since spice-server 0.11.2
Signed-off-by: Yonit Halperin <yhalperi@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
We can't initialize QXLDevSurfaceCreate field by field because it has a
pa hole, and so 4 bytes remain uninitialized when building on x86-64, so
just memset.
Signed-off-by: Alon Levy <alevy@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
The official spelling is QEMU.
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Reviewed-by: Andreas Färber <afaerber@suse.de>
[blauwirbel@gmail.com: fixed comment style in hw/sun4m.c]
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
|
|
The current intptr_t casts are a problem when the address's highest
bit is 1, and it is cast to a intptr_t and then to uint64_t, such
as at:
surface.mem = (intptr_t)ssd->buf;
This causes the sign bit to be extended which causes a wrong address to
be passed on to spice, which then complains when it gets the wrong
slot_id number, since the slot_id is taken from the higher bits.
The assertion happens early - during the first primary surface creation.
This fixes running "-vga qxl -spice" with 32 bit compiled
qemu-system-i386.
Signed-off-by: Alon Levy <alevy@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Fix compilation failures ("cast from pointer to integer of
different size [-Werror=pointer-to-int-cast]") by using
uintptr_t instead.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
dprint is still used for qxl_init_common one time prints.
also switched parts of spice-display.c over, mainly all the callbacks to
spice server.
All qxl device trace events start with the qxl device id.
Signed-off-by: Alon Levy <alevy@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Will be used in the next patch.
Signed-off-by: Alon Levy <alevy@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
drop all ifdefs on SPICE_INTERFACE_QXL_MINOR >= 1 as a result,
any check for SPICE_SERVER_VERSION that is now always satisfied,
and SPICE_INTERFACE_CORE_MINOR >= 3 tests, because
0.8.2 has SPICE_INTERFACE_QXL_MINOR == 1 and
SPICE_INTERFACE_CORE_MINOR == 3.
Signed-off-by: Alon Levy <alevy@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
regression introduced by 075360945860ad9bdd491921954b383bf762b0e5,
v2: lock around qemu_spice_cursor_refresh_unlocked
Reported-by: Fabiano Fidêncio <fabiano@fidencio.org>
Signed-off-by: Alon Levy <alevy@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
|
