hw/display: check frame buffer can hold blob

Coverity reports (CID 1564769, 1564770) that we potentially overflow
by doing some 32x32 multiplies for something that ends up in a 64 bit
value. Fix thi

hw/display: check frame buffer can hold blob

Coverity reports (CID 1564769, 1564770) that we potentially overflow
by doing some 32x32 multiplies for something that ends up in a 64 bit
value. Fix this by first using stride for all lines and casting input
to uint64_t to ensure a 64 bit multiply is used.

Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Tested-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20241111230040.68470-3-alex.bennee@linaro.org>

show more ...

hw/display: factor out the scanout blob to fb conversion

There are two identical sequences of a code doing the same thing that
raise warnings with Coverity. Before fixing those issues lets factor
ou

hw/display: factor out the scanout blob to fb conversion

There are two identical sequences of a code doing the same thing that
raise warnings with Coverity. Before fixing those issues lets factor
out the common code into a helper function we can share.

Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Tested-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20241111230040.68470-2-alex.bennee@linaro.org>

show more ...

Merge tag 'hw-misc-20241118' of https://github.com/philmd/qemu into staging

Misc HW fixes

# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEE+qvnXhKRciHc/Wuy4+MsLN6twN4FAmc7NwwACgkQ4+MsLN6t
# wN7z

Merge tag 'hw-misc-20241118' of https://github.com/philmd/qemu into staging

Misc HW fixes

# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEE+qvnXhKRciHc/Wuy4+MsLN6twN4FAmc7NwwACgkQ4+MsLN6t
# wN7zBA//VTiAcjB1KYovOiHQWdhtyE7JU+ZOCzULK2aDoKCP9wZM5yZVQgKbDFX/
# +bI2yjzTfZAWknxnqdShQMxvJE3PkD25mm8D2bP22/U9agKSrX4ll9pGt1NMIHUR
# Hy01gxoLYp0r/Vs0aDWVQGSU4v62hKjTNOFn30Gqg+Xu9W4glEPSwI5GicypxpWZ
# nNAl88whHZ6qouadNCSt0JghwWplw6ZkV3LU4dAUhhhRh+vkPoA3NiCCr4cNqNjJ
# yeGc6lLGf2M9GMpX3t2XEV6lXkBTdhUtdv0inZTzH8W2dYt/SL3n/nSKdddXU+fl
# F5cfUV8vhFTxeGOTodbwjv3GHxk4BAjKXhoHCPikkCC+tdzgCoAn+ie9Q0iSp28A
# kpXt099ByFpkCQ+4fu2+XjX6deC8mxKBKrqjNNEZDqhwuOuiG5Kw8lAzueQErmcZ
# djPm6HqnMQFvs4kAp3VMWiqMgkpjJqwB7dfffJfLcXr3+2WF8Ts181/y9LqnkGqn
# rlEjy57/dzbzTdt547j8GtKCbXmYOxUgd2a3k2sKCGBsCITtIpTjz2YsrafV84iD
# gij8M1IHvt41TNhikvWNKGxJ/5ZY2cx5G/QRbRFVYdFAR14xM45Q/XYuziQgt4if
# 6/g7WibP9d8Sqb5Mlj4HLqpPghY0AZ+aaIAHVCDCVYsLpbw7Ixk=
# =zdCl
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 18 Nov 2024 12:46:04 GMT
# gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [full]
# Primary key fingerprint: FAAB E75E 1291 7221 DCFD 6BB2 E3E3 2C2C DEAD C0DE

* tag 'hw-misc-20241118' of https://github.com/philmd/qemu:
hw/watchdog/cmsdk_apb_watchdog: Fix broken link
net: mark struct ip_header as QEMU_PACKED
hw/net/virtio-net.c: Don't assume IP length field is aligned
hw/audio/hda: fix memory leak on audio setup
Revert "hw/audio/hda: fix memory leak on audio setup"
hw/misc/mos6522: Fix bad class definition of the MOS6522 device
hw/sd/sdhci: Fix coding style
tests/qtest/migration: Fix indentations
usb-hub: Fix handling port power control messages
MAINTAINERS: Update my email address for COLO
hw/display: check frame buffer can hold blob
hw/display: factor out the scanout blob to fb conversion
hw/i386/elfboot: allocate "header" in heap
hw/misc/nrf51_rng: Don't use BIT_MASK() when we mean BIT()
vl: fix qemu_validate_options() indention

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

hw/display: check frame buffer can hold blob

Coverity reports (CID 1564769, 1564770) that we potentially overflow
by doing some 32x32 multiplies for something that ends up in a 64 bit
value. Fix thi

hw/display: check frame buffer can hold blob

Coverity reports (CID 1564769, 1564770) that we potentially overflow
by doing some 32x32 multiplies for something that ends up in a 64 bit
value. Fix this by first using stride for all lines and casting input
to uint64_t to ensure a 64 bit multiply is used.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Cc: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Tested-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Message-ID: <20241111230040.68470-3-alex.bennee@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

show more ...

hw/display: factor out the scanout blob to fb conversion

There are two identical sequences of a code doing the same thing that
raise warnings with Coverity. Before fixing those issues lets factor
ou

hw/display: factor out the scanout blob to fb conversion

There are two identical sequences of a code doing the same thing that
raise warnings with Coverity. Before fixing those issues lets factor
out the common code into a helper function we can share.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Cc: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Tested-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Message-ID: <20241111230040.68470-2-alex.bennee@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

show more ...

Merge tag 'pull-virtio-gpu-vulkan-291024-1' of https://gitlab.com/stsquad/qemu into staging

virtio-gpu: add venus/vulkan capability

We are currently lacking a declared maintainer for the sub-system

Merge tag 'pull-virtio-gpu-vulkan-291024-1' of https://gitlab.com/stsquad/qemu into staging

virtio-gpu: add venus/vulkan capability

We are currently lacking a declared maintainer for the sub-system so
while we look for one I'm merging after testing locally.

- convert some fprintfs to proper trace events
- move timers used by GL devices into GL structures
- handle virtio_gpu_virgl_init() failure better
- implement unrealize for GL devices
- use virgl version numbering to gate features
- support context-init feature
- don't require udmabuf for virgl only
- add virgl resource tracker
- allow command submission to be suspended
- handle resource blob commands
- dynamically handle capabilit sets
- add venus context support for passing vulkan

# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCgAdFiEEZoWumedRZ7yvyN81+9DbCVqeKkQFAmcg0FsACgkQ+9DbCVqe
# KkT86Qf/RtQuzIl+y60BeXdBLqjpLbS2WY3pk49068o+ZyUccNhMLzfL/Pd2Iz7t
# nW/4kI0lkobsPeKGLJchJQzWgEbFTD3KvYz9r8Ywugoy6FquMUptkSHcH8ggKZwT
# oJ0wT2jNS7UjgcJjnlQ8WaP/EH8qPI/0+e6W6RlcTE1sIxpJ6zHfMnHi4RUayGz7
# P9JYbOrMO2bHWBrdfQXIJaUVSLvy44j9V4u6OCCLPfDvr5RwzPXFv1YmTRpW14Zu
# P+iuxdUjRuhUQDMSKIbrzfHOFLg4iUchMgyd2pnVFjU6zOyA+yKWDxfPO0K0AbHh
# FddMYgP5K7IrgaUc6mI0w2/RCuLJvw==
# =mSAL
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 29 Oct 2024 12:08:59 GMT
# gpg: using RSA key 6685AE99E75167BCAFC8DF35FBD0DB095A9E2A44
# gpg: Good signature from "Alex Bennée (Master Work Key) <alex.bennee@linaro.org>" [full]
# Primary key fingerprint: 6685 AE99 E751 67BC AFC8 DF35 FBD0 DB09 5A9E 2A44

* tag 'pull-virtio-gpu-vulkan-291024-1' of https://gitlab.com/stsquad/qemu:
virtio-gpu: Support Venus context
virtio-gpu: Register capsets dynamically
virtio-gpu: Handle resource blob commands
virtio-gpu: Support suspension of commands processing
virtio-gpu: Add virgl resource management
virtio-gpu: Don't require udmabuf when blobs and virgl are enabled
virtio-gpu: Support context-init feature with virglrenderer
virtio-gpu: Use pkgconfig version to decide which virgl features are available
virtio-gpu: Unrealize GL device
virtio-gpu: Handle virtio_gpu_virgl_init() failure
virtio-gpu: Move print_stats timer to VirtIOGPUGL
virtio-gpu: Move fence_poll timer to VirtIOGPUGL
virtio-gpu: Use trace events for tracking number of in-flight fences

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

virtio-gpu: Support Venus context

Request Venus when initializing VirGL and if venus=true flag is set for
virtio-gpu-gl device.

Signed-off-by: Antonio Caggiano <antonio.caggiano@collabora.com>
Sign

virtio-gpu: Support Venus context

Request Venus when initializing VirGL and if venus=true flag is set for
virtio-gpu-gl device.

Signed-off-by: Antonio Caggiano <antonio.caggiano@collabora.com>
Signed-off-by: Huang Rui <ray.huang@amd.com>
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Message-Id: <20241024210311.118220-14-dmitry.osipenko@collabora.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>

show more ...

virtio-gpu: Handle resource blob commands

Support BLOB resources creation, mapping, unmapping and set-scanout by
calling the new stable virglrenderer 0.10 interface. Only enabled when
available and

virtio-gpu: Handle resource blob commands

Support BLOB resources creation, mapping, unmapping and set-scanout by
calling the new stable virglrenderer 0.10 interface. Only enabled when
available and via the blob config. E.g. -device virtio-vga-gl,blob=true

Signed-off-by: Antonio Caggiano <antonio.caggiano@collabora.com>
Signed-off-by: Robert Beckett <bob.beckett@collabora.com> # added set_scanout_blob
Signed-off-by: Xenia Ragiadakou <xenia.ragiadakou@amd.com>
Signed-off-by: Huang Rui <ray.huang@amd.com>
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Message-Id: <20241024210311.118220-12-dmitry.osipenko@collabora.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>

show more ...

virtio-gpu: Support suspension of commands processing

Check whether command processing has been finished; otherwise, stop
processing commands and retry the command again next time. This allows
us to

virtio-gpu: Support suspension of commands processing

Check whether command processing has been finished; otherwise, stop
processing commands and retry the command again next time. This allows
us to support asynchronous execution of non-fenced commands needed for
unmapping host blobs safely.

Suggested-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Message-Id: <20241024210311.118220-11-dmitry.osipenko@collabora.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>

show more ...

virtio-gpu: Don't require udmabuf when blobs and virgl are enabled

The udmabuf usage is mandatory when virgl is disabled and blobs feature
enabled in the Qemu machine configuration. If virgl and blo

virtio-gpu: Don't require udmabuf when blobs and virgl are enabled

The udmabuf usage is mandatory when virgl is disabled and blobs feature
enabled in the Qemu machine configuration. If virgl and blobs are enabled,
then udmabuf requirement is optional. Since udmabuf isn't widely supported
by a popular Linux distros today, let's relax the udmabuf requirement for
blobs=on,virgl=on. Now, a full-featured virtio-gpu acceleration is
available to Qemu users without a need to have udmabuf available in the
system.

Reviewed-by: Antonio Caggiano <antonio.caggiano@collabora.com>
Signed-off-by: Huang Rui <ray.huang@amd.com>
Reviewed-by: Antonio Caggiano <quic_acaggian@quicinc.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Message-Id: <20241024210311.118220-9-dmitry.osipenko@collabora.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>

show more ...

virtio-gpu: Use trace events for tracking number of in-flight fences

Replace printf's used for tracking of in-flight fence inc/dec events
with tracing, for consistency with the rest of virtio-gpu co

virtio-gpu: Use trace events for tracking number of in-flight fences

Replace printf's used for tracking of in-flight fence inc/dec events
with tracing, for consistency with the rest of virtio-gpu code that
uses tracing.

Suggested-by: Marc-André Lureau <marcandre.lureau@gmail.com>
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Message-Id: <20241024210311.118220-2-dmitry.osipenko@collabora.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>

show more ...

ui/win32: fix potential use-after-free with dbus shared memory

DisplaySurface may be free before the pixman image is freed, since the
image is refcounted and used by different objects, including pen

ui/win32: fix potential use-after-free with dbus shared memory

DisplaySurface may be free before the pixman image is freed, since the
image is refcounted and used by different objects, including pending
dbus messages.

Furthermore, setting the destroy function in
create_displaysurface_from() isn't appropriate, as it may not be used,
and may be overriden as in ramfb.

Set the destroy function when the shared handle is set, use the HANDLE
directly for destroy data, using a single common helper
qemu_pixman_win32_image_destroy().

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Message-ID: <20241008125028.1177932-5-marcandre.lureau@redhat.com>
(cherry picked from commit 330ef31deb2e5461cff907488b710f5bd9cd2327)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

show more ...

Merge tag 'ui-pull-request' of https://gitlab.com/marcandre.lureau/qemu into staging

UI-related fixes & shareable 2d memory with -display dbus

# -----BEGIN PGP SIGNATURE-----
#
# iQJQBAABCAA6FiEEh6

Merge tag 'ui-pull-request' of https://gitlab.com/marcandre.lureau/qemu into staging

UI-related fixes & shareable 2d memory with -display dbus

# -----BEGIN PGP SIGNATURE-----
#
# iQJQBAABCAA6FiEEh6m9kz+HxgbSdvYt2ujhCXWWnOUFAmcNHtIcHG1hcmNhbmRy
# ZS5sdXJlYXVAcmVkaGF0LmNvbQAKCRDa6OEJdZac5SYTD/9fRNrgnZIvIbIGf0kv
# j3LguzwEsfn8eIUbJEIxtDnoS17zX1t981kP9J9ctUM6wnb0iQNYCXeTrF8Xrq0z
# psiPhHGwPyWMdn9SWRfj597ShPn75z340Qve5GUm7clGu2KILh7TqqACH8LzaX+5
# 6jqoZc3kqD+PYZHnYAi6v1YFfLIYfj0n6EaO/J4RRRZSrknpgct7jpmqL4wVzTIo
# KYlG5afdUUfhmSIv5ZDpuuEJppdG74K2H+hJKDPIOOQ8/i/IU2EQPJ00ppiOPbET
# nA0+piLGtHQwU24u5kDdbDlGL/y1KBKvGclOtzLQxWNStch5A6hqllNsuIg+0dJW
# MRO2WZ8C7P7LD1eGmtYVZF/NzjnlTW/hbM5i0poPqhfcwbVmlIXjDs8GUfMGfINr
# 1MVFGNjxfgadYZ1f6Q/JU/KWPJMR4Ik3C/SmGrRBlfra5YIts0ItDeGgfQIW9JGb
# 1CpOng6/3SvW01B6psrPL+wP+6PsK333KPIA77KafOEMyOyEyuSOUrTShXbyXBHc
# r/nLbWw2lZs4U0kgGRQ21+R3huTyw8LnikYpCnGwTWGCpb9NDFYg7z3CRrZW0hWx
# DIWfN7M6YymeYygPUV9Wjo6i4yq4QqWPp7/QXtkSdX3v44/D7NWytKGST+Hwjkpa
# h6U2vrsLdep2m47bnX/dEEP61g==
# =xdt/
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 14 Oct 2024 14:38:26 BST
# gpg: using RSA key 87A9BD933F87C606D276F62DDAE8E10975969CE5
# gpg: issuer "marcandre.lureau@redhat.com"
# gpg: Good signature from "Marc-André Lureau <marcandre.lureau@redhat.com>" [full]
# gpg: aka "Marc-André Lureau <marcandre.lureau@gmail.com>" [full]
# Primary key fingerprint: 87A9 BD93 3F87 C606 D276 F62D DAE8 E109 7596 9CE5

* tag 'ui-pull-request' of https://gitlab.com/marcandre.lureau/qemu:
audio/pw: Report more accurate error when connecting to PipeWire fails
tests: add basic -display dbus Map.Unix test
ui: refactor using a common qemu_pixman_shareable
virtio-gpu: allocate shareable 2d resources on !win32
ui/dbus: implement Unix.Map
ui/dbus: add Listener.Unix.Map interface XML
ui/dbus: make Listener.Win32.Map win32-specific
meson: find_program('gdbus-codegen') directly
ui/surface: allocate shared memory on !win32
ui/dbus: add trace for can_share_map
ui/dbus: do not limit to one listener per connection / bus name
ui/pixman: generalize shared_image_destroy
util/memfd: report potential errors on free
ui/dbus: discard pending CursorDefine on new one
ui/dbus: discard display messages on disable
ui/dbus: fix filtering all update messages
ui/win32: fix potential use-after-free with dbus shared memory
ui/dbus: fix leak on message filtering
hw/audio/hda: fix memory leak on audio setup
hw/audio/hda: free timer on exit

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

ui: refactor using a common qemu_pixman_shareable

Use a common shareable type for win32 & unix, and helper functions.
This simplify the code as it avoids a lot of #ifdef'ery.

Note: if it helps revi

ui: refactor using a common qemu_pixman_shareable

Use a common shareable type for win32 & unix, and helper functions.
This simplify the code as it avoids a lot of #ifdef'ery.

Note: if it helps review, commits could be reordered to introduce the
common type before introducing shareable memory for unix.

Suggested-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Message-ID: <20241008125028.1177932-19-marcandre.lureau@redhat.com>

show more ...

virtio-gpu: allocate shareable 2d resources on !win32

Similar to what was done in commit 9462ff46 ("virtio-gpu/win32: allocate
shareable 2d resources/images") for win32, allocate resource memory wit

virtio-gpu: allocate shareable 2d resources on !win32

Similar to what was done in commit 9462ff46 ("virtio-gpu/win32: allocate
shareable 2d resources/images") for win32, allocate resource memory with
memfd, so the associated display surface memory can be shared with a
different process.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Message-ID: <20241008125028.1177932-18-marcandre.lureau@redhat.com>

show more ...

ui/pixman: generalize shared_image_destroy

Learn to free memfd-allocated shared memory.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Akihiko Odaki <akihiko.odaki@dayn

ui/pixman: generalize shared_image_destroy

Learn to free memfd-allocated shared memory.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Message-ID: <20241008125028.1177932-10-marcandre.lureau@redhat.com>

show more ...

ui/win32: fix potential use-after-free with dbus shared memory

DisplaySurface may be free before the pixman image is freed, since the
image is refcounted and used by different objects, including pen

ui/win32: fix potential use-after-free with dbus shared memory

DisplaySurface may be free before the pixman image is freed, since the
image is refcounted and used by different objects, including pending
dbus messages.

Furthermore, setting the destroy function in
create_displaysurface_from() isn't appropriate, as it may not be used,
and may be overriden as in ramfb.

Set the destroy function when the shared handle is set, use the HANDLE
directly for destroy data, using a single common helper
qemu_pixman_win32_image_destroy().

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Message-ID: <20241008125028.1177932-5-marcandre.lureau@redhat.com>

show more ...

Merge tag 'hw-misc-20240716' of https://github.com/philmd/qemu into staging

Misc HW & UI patches queue

- Allow loading safely ROMs larger than 4GiB (Gregor)
- Convert vt82c686 IRQ as named 'intr' (

Merge tag 'hw-misc-20240716' of https://github.com/philmd/qemu into staging

Misc HW & UI patches queue

- Allow loading safely ROMs larger than 4GiB (Gregor)
- Convert vt82c686 IRQ as named 'intr' (Bernhard)
- Clarify QDev GPIO API (Peter)
- Drop unused load_image_gzipped function (Ani)
- Make TCGCPUOps::cpu_exec_interrupt handler mandatory (Peter)
- Factor cpu_pause() out (Nicholas)
- Remove transfer size check from ESP DMA DATA IN / OUT transfers (Mark)
- Add accelerated cursor composition to Cocoa UI (Akihiko)
- Fix '-vga help' CLI (Marc-André)
- Fix displayed errno in ram_block_add (Zhenzhong)

# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEE+qvnXhKRciHc/Wuy4+MsLN6twN4FAmaWto0ACgkQ4+MsLN6t
# wN54fBAAwfhSQ9PKTYNlnsmJteXAsPCUg8KZwRblkAZs1z/xJX/sFKJF3PZ8fn4r
# Ty+Fiu4Sylfv19mTc/8Bc8pKfHn9zwY7Kb/H5kHjEuFwEZolODHXO8znRV621iZq
# PAeI64dVo5yIgqlAnf6xPSITwe2f75IS0ivIIKYwFsPqeGMUl6dvh/5xqoxis/hQ
# j/1hFLe+jX4whIcOFcqbR3oV3CZy+nMBLJH1/OtvKJ5aC8vFxt5xsKM0xkG94Pmx
# iYhVx4yjULRSSLMaRowqHqEtPB0pmYyuxz0CwjlcI8PU+gUa+dsZLOomD8YenmJR
# FQubQJOKkqlvQ8j7+2okwQs3NDW1TzwsYnvJKB3+EE+DD3Wq/ny5D0eMcnn5NW1Z
# 7rO624XhkvLsJlTJzVvuzpulmC+UFb/6S8CyStGPDxWCGrU3WqdZeoqbbhmXzacU
# ck17Cs2Ma4k0OIRYgAVdnwq96cuQCFNNzNq/iakcJs5Lsaa6Cai/YByKf1tBaGRm
# d/mJgN7WAJrOSpiRhNuNlay4O+hX0rn+wLwecbKW9sbKuoo9eHjzi8YAQuw/TVYr
# oMF/McqtWFCUyVt0eHtA3C+1dSW4+qQTDQSvabbXx54otRSEnMSEubgYFsdu3hF4
# P0mZyxPg4nPxy3uoz9hVQ63F45quaXX/B2fwvoYSBl58xuyxY6M=
# =rOg6
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 17 Jul 2024 04:06:05 AM AEST
# gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [full]

* tag 'hw-misc-20240716' of https://github.com/philmd/qemu:
system/physmem: use return value of ram_block_discard_require() as errno
vl: fix "type is NULL" in -vga help
ui/console: Remove dpy_cursor_define_supported()
ui/cocoa: Add cursor composition
ui/console: Convert mouse visibility parameter into bool
ui/cocoa: Release CGColorSpace
esp: remove transfer size check from DMA DATA IN and DATA OUT transfers
system/cpus: Add cpu_pause() function
accel/tcg: Make cpu_exec_interrupt hook mandatory
loader: remove load_image_gzipped function as its not used anywhere
include/hw/qdev-core.h: Correct and clarify gpio doc comments
hw/isa/vt82c686: Turn "intr" irq into a named gpio
hw/core/loader: allow loading larger ROMs

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

show more ...

ui/console: Convert mouse visibility parameter into bool

Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Tested-by: Phil Dennis-Jordan <phil@philjordan.eu>
Signed-off-by: Akihiko Odaki

ui/console: Convert mouse visibility parameter into bool

Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Tested-by: Phil Dennis-Jordan <phil@philjordan.eu>
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20240715-cursor-v3-2-afa5b9492dbf@daynix.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

show more ...

Merge tag 'migration-20240522-pull-request' of https://gitlab.com/farosas/qemu into staging

Migration pull request

- Li Zhijian's COLO minor fixes
- Marc-André's virtio-gpu fix
- Fiona's virtio-net

Merge tag 'migration-20240522-pull-request' of https://gitlab.com/farosas/qemu into staging

Migration pull request

- Li Zhijian's COLO minor fixes
- Marc-André's virtio-gpu fix
- Fiona's virtio-net USO fix
- A couple of migration-test fixes from Thomas

# -----BEGIN PGP SIGNATURE-----
#
# iQJEBAABCAAuFiEEqhtIsKIjJqWkw2TPx5jcdBvsMZ0FAmZObggQHGZhcm9zYXNA
# c3VzZS5kZQAKCRDHmNx0G+wxnWE8D/49RGE+g29qyk9aKx3lU8mSq+ZzmX5GncBt
# 5+Mx5qoHDsBCQTE+dQpEVIoeMJ2HIbgbOML4qsnp6Hw/4/TWkfwC/R6+ZmHBevRk
# fVLkVh2JMHVg8Tq+0FO1X1QnMU03uJ7EAuWdDa8HqlJ5dQY/K3gDaku8oQBXk96X
# 13pChSbMob76tdb+wiwbdEakabigH7XfrPdI6lzI8MCGTIcPKc/UKTFYuoj/OsNx
# raqy+uBtvKtfHxiaYnIgHIPNAF/1f4tP3iAOcPoZWIMXWxFkE8+ANDJAbWo6xIcL
# DGg/wEzZO/OnXLjOhjvLBUHK/fx4wQ5bsqA09BVxoRyBGblkXr+bcwBLYjgiEqzT
# aniPiAx5W/Db+T7HqZPIWesFYj3cmcwvYUTrx/RPMdC0epG+ZczDMtescHdZbxvt
# Pjs3nFeCLhyYcVhlTI72eXRCxdd/26+r6/OmrBC2+GaZrybM61TvNo+3XvO0Pfhi
# UmwF2EN27XmSMelLvH/MnflUVgBHKDs3CCQzDlxreHq2jMVR0SL7LU5wMJJ58Iok
# M3u74izQM25bwYxiASH+4iRn0puH1mOwgOx28W0uiQfZY/678/lCnwa1Tul15BRE
# fIQZJhyIGzhSpwLqEXmdXdlLQs1isqIgpd/mzKgZ285nLr7kz+4gxCUqiXgVbrl7
# P45Dym1u4g==
# =DDrh
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 22 May 2024 03:13:28 PM PDT
# gpg: using RSA key AA1B48B0A22326A5A4C364CFC798DC741BEC319D
# gpg: issuer "farosas@suse.de"
# gpg: Good signature from "Fabiano Rosas <farosas@suse.de>" [unknown]
# gpg: aka "Fabiano Almeida Rosas <fabiano.rosas@suse.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: AA1B 48B0 A223 26A5 A4C3 64CF C798 DC74 1BEC 319D

* tag 'migration-20240522-pull-request' of https://gitlab.com/farosas/qemu:
tests/qtest/migration-test: Fix the check for a successful run of analyze-migration.py
tests/qtest/migration-test: Run some basic tests on s390x and ppc64 with TCG, too
hw/core/machine: move compatibility flags for VirtIO-net USO to machine 8.1
virtio-gpu: fix v2 migration
migration: fix a typo
migration: add "exists" info to load-state-field trace
migration/colo: Tidy up bql_unlock() around bdrv_activate_all()
migration/colo: make colo_incoming_co() return void
migration/colo: Minor fix for colo error message

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

show more ...

virtio-gpu: fix v2 migration

Commit dfcf74fa ("virtio-gpu: fix scanout migration post-load") broke
forward/backward version migration. Versioning of nested VMSD structures
is not straightforward, as

virtio-gpu: fix v2 migration

Commit dfcf74fa ("virtio-gpu: fix scanout migration post-load") broke
forward/backward version migration. Versioning of nested VMSD structures
is not straightforward, as the wire format doesn't have nested
structures versions. Introduce x-scanout-vmstate-version and a field
test to save/load appropriately according to the machine version.

Fixes: dfcf74fa ("virtio-gpu: fix scanout migration post-load")
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Peter Xu <peterx@redhat.com>
Reviewed-by: Fiona Ebner <f.ebner@proxmox.com>
Tested-by: Fiona Ebner <f.ebner@proxmox.com>
[fixed long lines]
Signed-off-by: Fabiano Rosas <farosas@suse.de>

show more ...

Merge tag 'hw-misc-20240410' of https://github.com/philmd/qemu into staging

Misc HW patch queue

- Fix CXL Fixed Memory Window interleave-granularity typo
- Fix for DMA re-entrancy abuse with VirtIO

Merge tag 'hw-misc-20240410' of https://github.com/philmd/qemu into staging

Misc HW patch queue

- Fix CXL Fixed Memory Window interleave-granularity typo
- Fix for DMA re-entrancy abuse with VirtIO devices (CVE-2024-3446)
- Fix out-of-bound access in NAND block buffer
- Fix memory leak in AppleSMC reset() handler
- Avoid VirtIO crypto backends abort o invalid session ID
- Fix overflow in LAN9118 MIL TX FIFO
- Fix overflow when abusing SDHCI TRNMOD register (CVE-2024-3447)
- Fix overrun in short fragmented packet SCTP checksum (CVE-2024-3567)
- Remove unused assignment in virtio-snd model (Coverity 1542933 & 1542934)

# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEE+qvnXhKRciHc/Wuy4+MsLN6twN4FAmYWV94ACgkQ4+MsLN6t
# wN4+ew/+PqDmL4S8xXGQPi6Q8fxAogbwo1mPptDO2y8ChEjtc9LI5HOLu90EYz7A
# s62SPDsh3gx8vOthrJVEk0LqCbw4N3s5dFdmHNrnjXCsKQFifgucQ+yZy8ipy34N
# wWHSJ9nipBQLvkK23iCxkbl3cTyr44Rlweae/TZR4/FjFCEe3N555LQU0fruEqRo
# AHW1RjYhGvOfL9knLWzIQqW2QjcCnKky3bJhwHh3crfWE69nvVJTkbSF6oUxWSG0
# RzSToK3nN5tmvUlyvbTBE9u0K9JkOcbtMQiAgj39nR9xpsaUZZa0zSWOmliYIuBC
# kWuUY0/nAQk6gxHBKyu8q09ACBbzeCp+lVPOYXdxax8QMeURSa9fB1qY7JmI5QAZ
# bg0ypD2pvbxhidU5TWpw7araAYyBOJrEYjnOkhXB4oa01ZWu2d0uNhGWo83h3Wjy
# ahKrNDoVIQIdh8QkYy/ZqDwhCMoNM+pQcfUzsYxkqZC/JiiM/qxm87pTHQ/x2yQA
# l0MLzljGv90/dklokrqeg4REwMqfwzc74PUbKdCk43saemmatslK3ktu3xAzUlQW
# 2xmZQTnKwXDf+U3YnYryDddow2LsU7qlu8dlDGNd0WIrE5LRCCXzhv8la66O0jVE
# qMOHpBPkwMlACBwiXuxV6ucelk4vy+XvabeQUsizm0m+PR7TwJY=
# =9phd
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 10 Apr 2024 10:11:58 BST
# gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [full]
# Primary key fingerprint: FAAB E75E 1291 7221 DCFD 6BB2 E3E3 2C2C DEAD C0DE

* tag 'hw-misc-20240410' of https://github.com/philmd/qemu:
hw/audio/virtio-snd: Remove unused assignment
hw/net/net_tx_pkt: Fix overrun in update_sctp_checksum()
hw/sd/sdhci: Do not update TRNMOD when Command Inhibit (DAT) is set
hw/net/lan9118: Fix overflow in MIL TX FIFO
hw/net/lan9118: Replace magic '2048' value by MIL_TXFIFO_SIZE definition
backends/cryptodev: Do not abort for invalid session ID
hw/misc/applesmc: Fix memory leak in reset() handler
hw/misc/applesmc: Do not call DeviceReset from DeviceRealize
hw/block/nand: Fix out-of-bound access in NAND block buffer
hw/block/nand: Have blk_load() take unsigned offset and return boolean
hw/block/nand: Factor nand_load_iolen() method out
qemu-options: Fix CXL Fixed Memory Window interleave-granularity typo
hw/virtio/virtio-crypto: Protect from DMA re-entrancy bugs
hw/char/virtio-serial-bus: Protect from DMA re-entrancy bugs
hw/display/virtio-gpu: Protect from DMA re-entrancy bugs
hw/virtio: Introduce virtio_bh_new_guarded() helper

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

hw/display/virtio-gpu: Protect from DMA re-entrancy bugs

Replace qemu_bh_new_guarded() by virtio_bh_new_guarded()
so the bus and device use the same guard. Otherwise the
DMA-reentrancy protection ca

hw/display/virtio-gpu: Protect from DMA re-entrancy bugs

Replace qemu_bh_new_guarded() by virtio_bh_new_guarded()
so the bus and device use the same guard. Otherwise the
DMA-reentrancy protection can be bypassed:

$ cat << EOF | qemu-system-i386 -display none -nodefaults \
-machine q35,accel=qtest \
-m 512M \
-device virtio-gpu \
-qtest stdio
outl 0xcf8 0x80000820
outl 0xcfc 0xe0004000
outl 0xcf8 0x80000804
outw 0xcfc 0x06
write 0xe0004030 0x4 0x024000e0
write 0xe0004028 0x1 0xff
write 0xe0004020 0x4 0x00009300
write 0xe000401c 0x1 0x01
write 0x101 0x1 0x04
write 0x103 0x1 0x1c
write 0x9301c8 0x1 0x18
write 0x105 0x1 0x1c
write 0x107 0x1 0x1c
write 0x109 0x1 0x1c
write 0x10b 0x1 0x00
write 0x10d 0x1 0x00
write 0x10f 0x1 0x00
write 0x111 0x1 0x00
write 0x113 0x1 0x00
write 0x115 0x1 0x00
write 0x117 0x1 0x00
write 0x119 0x1 0x00
write 0x11b 0x1 0x00
write 0x11d 0x1 0x00
write 0x11f 0x1 0x00
write 0x121 0x1 0x00
write 0x123 0x1 0x00
write 0x125 0x1 0x00
write 0x127 0x1 0x00
write 0x129 0x1 0x00
write 0x12b 0x1 0x00
write 0x12d 0x1 0x00
write 0x12f 0x1 0x00
write 0x131 0x1 0x00
write 0x133 0x1 0x00
write 0x135 0x1 0x00
write 0x137 0x1 0x00
write 0x139 0x1 0x00
write 0xe0007003 0x1 0x00
EOF
...
=================================================================
==276099==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000011178
at pc 0x562cc3b736c7 bp 0x7ffed49dee60 sp 0x7ffed49dee58
READ of size 8 at 0x60d000011178 thread T0
#0 0x562cc3b736c6 in virtio_gpu_ctrl_response hw/display/virtio-gpu.c:180:42
#1 0x562cc3b7c40b in virtio_gpu_ctrl_response_nodata hw/display/virtio-gpu.c:192:5
#2 0x562cc3b7c40b in virtio_gpu_simple_process_cmd hw/display/virtio-gpu.c:1015:13
#3 0x562cc3b82873 in virtio_gpu_process_cmdq hw/display/virtio-gpu.c:1050:9
#4 0x562cc4a85514 in aio_bh_call util/async.c:169:5
#5 0x562cc4a85c52 in aio_bh_poll util/async.c:216:13
#6 0x562cc4a1a79b in aio_dispatch util/aio-posix.c:423:5
#7 0x562cc4a8a2da in aio_ctx_dispatch util/async.c:358:5
#8 0x7f36840547a8 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x547a8)
#9 0x562cc4a8b753 in glib_pollfds_poll util/main-loop.c:290:9
#10 0x562cc4a8b753 in os_host_main_loop_wait util/main-loop.c:313:5
#11 0x562cc4a8b753 in main_loop_wait util/main-loop.c:592:11
#12 0x562cc3938186 in qemu_main_loop system/runstate.c:782:9
#13 0x562cc43b7af5 in qemu_default_main system/main.c:37:14
#14 0x7f3683a6c189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#15 0x7f3683a6c244 in __libc_start_main csu/../csu/libc-start.c:381:3
#16 0x562cc2a58ac0 in _start (qemu-system-i386+0x231bac0)

0x60d000011178 is located 56 bytes inside of 136-byte region [0x60d000011140,0x60d0000111c8)
freed by thread T0 here:
#0 0x562cc2adb662 in __interceptor_free (qemu-system-i386+0x239e662)
#1 0x562cc3b86b21 in virtio_gpu_reset hw/display/virtio-gpu.c:1524:9
#2 0x562cc416e20e in virtio_reset hw/virtio/virtio.c:2145:9
#3 0x562cc37c5644 in virtio_pci_reset hw/virtio/virtio-pci.c:2249:5
#4 0x562cc4233758 in memory_region_write_accessor system/memory.c:497:5
#5 0x562cc4232eea in access_with_adjusted_size system/memory.c:573:18

previously allocated by thread T0 here:
#0 0x562cc2adb90e in malloc (qemu-system-i386+0x239e90e)
#1 0x7f368405a678 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5a678)
#2 0x562cc4163ffc in virtqueue_split_pop hw/virtio/virtio.c:1612:12
#3 0x562cc4163ffc in virtqueue_pop hw/virtio/virtio.c:1783:16
#4 0x562cc3b91a95 in virtio_gpu_handle_ctrl hw/display/virtio-gpu.c:1112:15
#5 0x562cc4a85514 in aio_bh_call util/async.c:169:5
#6 0x562cc4a85c52 in aio_bh_poll util/async.c:216:13
#7 0x562cc4a1a79b in aio_dispatch util/aio-posix.c:423:5

SUMMARY: AddressSanitizer: heap-use-after-free hw/display/virtio-gpu.c:180:42 in virtio_gpu_ctrl_response

With this change, the same reproducer triggers:

qemu-system-i386: warning: Blocked re-entrant IO on MemoryRegion: virtio-pci-common-virtio-gpu at addr: 0x6

Fixes: CVE-2024-3446
Cc: qemu-stable@nongnu.org
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Yongkang Jia <kangel@zju.edu.cn>
Reported-by: Xiao Lei <nop.leixiao@gmail.com>
Reported-by: Yiming Tao <taoym@zju.edu.cn>
Buglink: https://bugs.launchpad.net/qemu/+bug/1888606
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20240409105537.18308-3-philmd@linaro.org>

show more ...

Merge tag 'ui-pull-request' of https://gitlab.com/marcandre.lureau/qemu into staging

display/ui: pending fixes

- ui/vnc: Respect bound console
- ui/dbus: optimize a bit message queuing
- virtio-gpu

Merge tag 'ui-pull-request' of https://gitlab.com/marcandre.lureau/qemu into staging

display/ui: pending fixes

- ui/vnc: Respect bound console
- ui/dbus: optimize a bit message queuing
- virtio-gpu: fix blob scanout post-load

# -----BEGIN PGP SIGNATURE-----
#
# iQJQBAABCAA6FiEEh6m9kz+HxgbSdvYt2ujhCXWWnOUFAmXwYCYcHG1hcmNhbmRy
# ZS5sdXJlYXVAcmVkaGF0LmNvbQAKCRDa6OEJdZac5bv9D/9J1g76mYND+ad++d+G
# YiewXtHVwrHm9g+TxUdWXaBcDFy+uFtGpwIBtYN76YjSSL47li74V7sQTZ2FQVys
# Y8W61xBzDoAcCLV7/m48WW/mov2+TtyUFYIC3ZOBFS6Ol5aiJ8uurJa11h2WTacq
# tQKlK5g//Yv0H0cxn1cYMqRFdsko3H2hSmYz36QuPWfxivC2VeMnN/iTSGfiVSb+
# hTkOdRu+5qmt3mbbYo0Z6YpvjhLqSLob6n29+P7/QlwrQxP+A/JSS4FrAHryXzvm
# qZ/wRsPmThjwpnt3ZV9AapagQ7908FRmh1EhyAxrWq2G8QGK/XvJ/JPwBOgZGEiy
# W48N5FQhdQUkxkVpkmQVpGhJFAzclqJh/duZiBtixw+25Md6DG04OwHy9k7qCph7
# qj2BZuaSafVcSE0JEG78bt5YHAO3Joyfjf7Jhb0Tqvn2kbv94tCTGtUIH6ngYv4Z
# r0vTmlDr7pe1xaa9HeFpaopckvj4uQhlcMHnrETnUtcdWKE5SaBlgNsIwHlNlKZ6
# wmUIMKymXNRIiCZrf2xxJr7PeZ8FJgTlHCy9poSJRwpZDKHaZQMecklELx+jECuU
# DPhAmTPTZjCKiXGCI+KlL6nDy/H7zA6boCMO2QpKVk0ehviWOQZvu94srTJL5nz/
# RX+rwGbf3+8LfIFJmLcQCD5qag==
# =oY0A
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 12 Mar 2024 14:01:10 GMT
# gpg: using RSA key 87A9BD933F87C606D276F62DDAE8E10975969CE5
# gpg: issuer "marcandre.lureau@redhat.com"
# gpg: Good signature from "Marc-André Lureau <marcandre.lureau@redhat.com>" [full]
# gpg: aka "Marc-André Lureau <marcandre.lureau@gmail.com>" [full]
# Primary key fingerprint: 87A9 BD93 3F87 C606 D276 F62D DAE8 E109 7596 9CE5

* tag 'ui-pull-request' of https://gitlab.com/marcandre.lureau/qemu:
virtio-gpu: fix scanout migration post-load
virtio-gpu: remove needless condition
ui/dbus: filter out pending messages when scanout
ui/dbus: factor out sending a scanout
ui/vnc: Respect bound console

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

virtio-gpu: fix scanout migration post-load

The current post-loading code for scanout has a FIXME: it doesn't take
the resource region/rect into account. But there is more, when adding
blob migratio

virtio-gpu: fix scanout migration post-load

The current post-loading code for scanout has a FIXME: it doesn't take
the resource region/rect into account. But there is more, when adding
blob migration support in commit f66767f75c9, I didn't realize that blob
resources could be used for scanouts. This situationn leads to a crash
during post-load, as they don't have an associated res->image.

virtio_gpu_do_set_scanout() handle all cases, but requires the
associated virtio_gpu_framebuffer, which is currently not saved during
migration.

Add a v2 of "virtio-gpu-one-scanout" with the framebuffer fields, so we
can restore blob scanouts, as well as fixing the existing FIXME.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Sebastian Ott <sebott@redhat.com>

show more ...