[Qemu-devel] [PULL 0/3] virtio-gpu and vmsvga fixes.

[Qemu-devel] [PULL 0/3] virtio-gpu and vmsvga fixes.

[Gerd Hoffmann]

  Hi,

vga patch queue with a few fixes.

please pull,
  Gerd

The following changes since commit 7263da78045dc91cc207f350911efe4259e99b3c:

  Merge remote-tracking branch 'remotes/mcayland/tags/qemu-openbios-signed' into staging (2016-09-12 15:09:47 +0100)

are available in the git repository at:


  git://git.kraxel.org/qemu tags/pull-vga-20160913-1

for you to fetch changes up to c2843e93907a4084e91573994486e810cec248a0:

  virtio-vga: adapt to page-per-vq=off (2016-09-13 09:28:10 +0200)

----------------------------------------------------------------
virtio-gpu and vmsvga fixes.

----------------------------------------------------------------
Gerd Hoffmann (2):
      virtio-gpu-pci: tag as not hotpluggable
      virtio-vga: adapt to page-per-vq=off

Prasad J Pandit (1):
      vmsvga: correct bitmap and pixmap size checks

 hw/display/virtio-gpu-pci.c |  1 +
 hw/display/virtio-vga.c     | 11 +++++++++++
 hw/display/vmware_vga.c     | 12 +++++++-----
 3 files changed, 19 insertions(+), 5 deletions(-)

[Qemu-devel] [PULL 1/3] vmsvga: correct bitmap and pixmap size checks

[Gerd Hoffmann]

From: Prasad J Pandit <pjp@fedoraproject.org>

When processing svga command DEFINE_CURSOR in vmsvga_fifo_run,
the computed BITMAP and PIXMAP size are checked against the
'cursor.mask[]' and 'cursor.image[]' array sizes in bytes.
Correct these checks to avoid OOB memory access.

Reported-by: Qinghao Tang <luodalongde@gmail.com>
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 1473338754-15430-1-git-send-email-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/display/vmware_vga.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index e51a05e..6599cf0 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
             cursor.bpp = vmsvga_fifo_read(s);
 
             args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
-            if (cursor.width > 256 ||
-                cursor.height > 256 ||
-                cursor.bpp > 32 ||
-                SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
-                SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
+            if (cursor.width > 256
+                || cursor.height > 256
+                || cursor.bpp > 32
+                || SVGA_BITMAP_SIZE(x, y)
+                    > sizeof(cursor.mask) / sizeof(cursor.mask[0])
+                || SVGA_PIXMAP_SIZE(x, y, cursor.bpp)
+                    > sizeof(cursor.image) / sizeof(cursor.image[0])) {
                     goto badcmd;
             }
 
-- 
1.8.3.1

[Qemu-devel] [PULL 2/3] virtio-gpu-pci: tag as not hotpluggable

[Gerd Hoffmann]

We can't hotplug display adapters in qemu, tag virtio-gpu-pci
accordingly (virtio-vga already has this).

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 1473319037-27645-1-git-send-email-kraxel@redhat.com
---
 hw/display/virtio-gpu-pci.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/display/virtio-gpu-pci.c b/hw/display/virtio-gpu-pci.c
index 34a724c..ef92c4a 100644
--- a/hw/display/virtio-gpu-pci.c
+++ b/hw/display/virtio-gpu-pci.c
@@ -48,6 +48,7 @@ static void virtio_gpu_pci_class_init(ObjectClass *klass, void *data)
 
     set_bit(DEVICE_CATEGORY_DISPLAY, dc->categories);
     dc->props = virtio_gpu_pci_properties;
+    dc->hotpluggable = false;
     k->realize = virtio_gpu_pci_realize;
     pcidev_k->class_id = PCI_CLASS_DISPLAY_OTHER;
 }
-- 
1.8.3.1

[Qemu-devel] [PULL 3/3] virtio-vga: adapt to page-per-vq=off

[Gerd Hoffmann]

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1473319012-27560-1-git-send-email-kraxel@redhat.com
---
 hw/display/virtio-vga.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/hw/display/virtio-vga.c b/hw/display/virtio-vga.c
index 5b510a1..f77b401 100644
--- a/hw/display/virtio-vga.c
+++ b/hw/display/virtio-vga.c
@@ -122,6 +122,17 @@ static void virtio_vga_realize(VirtIOPCIProxy *vpci_dev, Error **errp)
      */
     vpci_dev->modern_mem_bar = 2;
     vpci_dev->msix_bar = 4;
+
+    if (!(vpci_dev->flags & VIRTIO_PCI_FLAG_PAGE_PER_VQ)) {
+        /*
+         * with page-per-vq=off there is no padding space we can use
+         * for the stdvga registers.  Make the common and isr regions
+         * smaller then.
+         */
+        vpci_dev->common.size /= 2;
+        vpci_dev->isr.size /= 2;
+    }
+
     offset = memory_region_size(&vpci_dev->modern_bar);
     offset -= vpci_dev->notify.size;
     vpci_dev->notify.offset = offset;
-- 
1.8.3.1

Re: [Qemu-devel] [PULL 0/3] virtio-gpu and vmsvga fixes.

[Peter Maydell]

On 13 September 2016 at 09:16, Gerd Hoffmann <kraxel@redhat.com> wrote:
>   Hi,
>
> vga patch queue with a few fixes.
>
> please pull,
>   Gerd
>
> The following changes since commit 7263da78045dc91cc207f350911efe4259e99b3c:
>
>   Merge remote-tracking branch 'remotes/mcayland/tags/qemu-openbios-signed' into staging (2016-09-12 15:09:47 +0100)
>
> are available in the git repository at:
>
>
>   git://git.kraxel.org/qemu tags/pull-vga-20160913-1
>
> for you to fetch changes up to c2843e93907a4084e91573994486e810cec248a0:
>
>   virtio-vga: adapt to page-per-vq=off (2016-09-13 09:28:10 +0200)
>
> ----------------------------------------------------------------
> virtio-gpu and vmsvga fixes.
>

Applied, thanks.

-- PMM