[Qemu-devel] [PULL for-2.9 0/2] qxl bugfixes

[Qemu-devel] [PULL for-2.9 0/2] qxl bugfixes

[Gerd Hoffmann]

  Hi,

Two bugfixes for qxl.  Well, one actually is a workaround for a guest
driver bug.

please pull,
  Gerd

The following changes since commit 5fe2339e6b09da7d6f48b9bef0f1a7360392b489:

  Merge remote-tracking branch 'remotes/awilliam/tags/vfio-updates-20170406.0' into staging (2017-04-07 10:29:56 +0100)

are available in the git repository at:

  git://git.kraxel.org/qemu tags/pull-fixes-20170411-1

for you to fetch changes up to 86dbcdd9c7590d06db89ca256c5eaf0b4aba8858:

  qxl: add migration blocker to avoid pre-save assert (2017-04-11 08:38:17 +0200)

----------------------------------------------------------------
qxl: bugfixes.

----------------------------------------------------------------
Gerd Hoffmann (1):
      qxl: add migration blocker to avoid pre-save assert

Marc-André Lureau (1):
      qxl: switch display on entering VGA

 hw/display/qxl.h |  1 +
 hw/display/qxl.c | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+)

[Qemu-devel] [PULL 1/2] qxl: switch display on entering VGA

[Gerd Hoffmann]

From: Marc-André Lureau <marcandre.lureau@redhat.com>

Since commit cd958edb1fae85d, same size console resize is skipped. This
change broke QXL incoming migration in VGA mode,
qemu_spice_display_switch() is no longer called during qxl_post_load(),
because default message surface is of the same size, and during
displaychangelistener registration, PCIQXLDevice.mode is
QXL_MODE_UNDEFINED. This triggers a later crash on refresh:

==2634== Invalid read of size 4
==3516== at 0x65F3050: pixman_image_get_data (in /usr/lib64/libpixman-1.so.0.34.0)
==3516== by 0x6F0CEB: qemu_spice_create_update (spice-display.c:215)
==3516== by 0x6F1CC7: qemu_spice_display_refresh (spice-display.c:502)
==3516== by 0x58CF77: display_refresh (qxl.c:1948)
==3516== by 0x6E8084: do_safe_dpy_refresh (console.c:1591)
==3516== by 0x6E80D5: dpy_refresh (console.c:1604)
==3516== by 0x6E4508: gui_update (console.c:201)
==3516== by 0x81898E: timerlist_run_timers (qemu-timer.c:536)
==3516== by 0x8189D6: qemu_clock_run_timers (qemu-timer.c:547)
==3516== by 0x818D98: qemu_clock_run_all_timers (qemu-timer.c:662)
==3516== by 0x81952A: main_loop_wait (main-loop.c:514)
==3516== by 0x4ADD29: main_loop (vl.c:1898)

One way to solve this is to explicitely call qemu_spice_display_switch()
on entering VGA mode, which is called during qxl_post_load().

Fixes:
"null pointer access on migration resume of systemrescuecd boot menu with qxl-vga"
https://bugs.launchpad.net/qemu/+bug/1679126
https://bugzilla.redhat.com/show_bug.cgi?id=1438566

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20170406120513.638-4-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/display/qxl.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/display/qxl.c b/hw/display/qxl.c
index 0d02f0e..c31b293 100644
--- a/hw/display/qxl.c
+++ b/hw/display/qxl.c
@@ -1146,6 +1146,7 @@ static void qxl_enter_vga_mode(PCIQXLDevice *d)
     update_displaychangelistener(&d->ssd.dcl, GUI_REFRESH_INTERVAL_DEFAULT);
     qemu_spice_create_host_primary(&d->ssd);
     d->mode = QXL_MODE_VGA;
+    qemu_spice_display_switch(&d->ssd, d->ssd.ds);
     vga_dirty_log_start(&d->vga);
     graphic_hw_update(d->vga.con);
 }
-- 
2.9.3

[Qemu-devel] [PULL 2/2] qxl: add migration blocker to avoid pre-save assert

[Gerd Hoffmann]

Cc: 1635339@bugs.launchpad.net
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20170410113131.2585-1-kraxel@redhat.com
---
 hw/display/qxl.h |  1 +
 hw/display/qxl.c | 31 +++++++++++++++++++++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/hw/display/qxl.h b/hw/display/qxl.h
index d2d49dd..77e5a36 100644
--- a/hw/display/qxl.h
+++ b/hw/display/qxl.h
@@ -40,6 +40,7 @@ typedef struct PCIQXLDevice {
     uint32_t           cmdlog;
 
     uint32_t           guest_bug;
+    Error              *migration_blocker;
 
     enum qxl_mode      mode;
     uint32_t           cmdflags;
diff --git a/hw/display/qxl.c b/hw/display/qxl.c
index c31b293..9feae78 100644
--- a/hw/display/qxl.c
+++ b/hw/display/qxl.c
@@ -26,6 +26,7 @@
 #include "qemu/queue.h"
 #include "qemu/atomic.h"
 #include "sysemu/sysemu.h"
+#include "migration/migration.h"
 #include "trace.h"
 
 #include "qxl.h"
@@ -639,6 +640,30 @@ static int interface_get_command(QXLInstance *sin, struct QXLCommandExt *ext)
         qxl->guest_primary.commands++;
         qxl_track_command(qxl, ext);
         qxl_log_command(qxl, "cmd", ext);
+        {
+            /*
+             * Windows 8 drivers place qxl commands in the vram
+             * (instead of the ram) bar.  We can't live migrate such a
+             * guest, so add a migration blocker in case we detect
+             * this, to avoid triggering the assert in pre_save().
+             *
+             * https://cgit.freedesktop.org/spice/win32/qxl-wddm-dod/commit/?id=f6e099db39e7d0787f294d5fd0dce328b5210faa
+             */
+            void *msg = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
+            if (msg != NULL && (
+                    msg < (void *)qxl->vga.vram_ptr ||
+                    msg > ((void *)qxl->vga.vram_ptr + qxl->vga.vram_size))) {
+                if (!qxl->migration_blocker) {
+                    Error *local_err = NULL;
+                    error_setg(&qxl->migration_blocker,
+                               "qxl: guest bug: command not in ram bar");
+                    migrate_add_blocker(qxl->migration_blocker, &local_err);
+                    if (local_err) {
+                        error_report_err(local_err);
+                    }
+                }
+            }
+        }
         trace_qxl_ring_command_get(qxl->id, qxl_mode_to_string(qxl->mode));
         return true;
     default:
@@ -1236,6 +1261,12 @@ static void qxl_hard_reset(PCIQXLDevice *d, int loadvm)
     qemu_spice_create_host_memslot(&d->ssd);
     qxl_soft_reset(d);
 
+    if (d->migration_blocker) {
+        migrate_del_blocker(d->migration_blocker);
+        error_free(d->migration_blocker);
+        d->migration_blocker = NULL;
+    }
+
     if (startstop) {
         qemu_spice_display_start();
     }
-- 
2.9.3

Re: [Qemu-devel] [PULL for-2.9 0/2] qxl bugfixes

[Peter Maydell]

On 11 April 2017 at 08:02, Gerd Hoffmann <kraxel@redhat.com> wrote:
>   Hi,
>
> Two bugfixes for qxl.  Well, one actually is a workaround for a guest
> driver bug.
>
> please pull,
>   Gerd
>
> The following changes since commit 5fe2339e6b09da7d6f48b9bef0f1a7360392b489:
>
>   Merge remote-tracking branch 'remotes/awilliam/tags/vfio-updates-20170406.0' into staging (2017-04-07 10:29:56 +0100)
>
> are available in the git repository at:
>
>   git://git.kraxel.org/qemu tags/pull-fixes-20170411-1
>
> for you to fetch changes up to 86dbcdd9c7590d06db89ca256c5eaf0b4aba8858:
>
>   qxl: add migration blocker to avoid pre-save assert (2017-04-11 08:38:17 +0200)
>
> ----------------------------------------------------------------
> qxl: bugfixes.
>
> ----------------------------------------------------------------
> Gerd Hoffmann (1):
>       qxl: add migration blocker to avoid pre-save assert
>
> Marc-André Lureau (1):
>       qxl: switch display on entering VGA
>
>  hw/display/qxl.h |  1 +
>  hw/display/qxl.c | 32 ++++++++++++++++++++++++++++++++
>  2 files changed, 33 insertions(+)
>
Applied, thanks.

-- PMM