* [Qemu-devel] [PULL 0/3] input patch queue
@ 2017-05-04 5:50 Gerd Hoffmann
2017-05-04 5:50 ` [Qemu-devel] [PULL 1/3] input: limit kbd queue depth Gerd Hoffmann
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Gerd Hoffmann @ 2017-05-04 5:50 UTC (permalink / raw)
To: qemu-devel; +Cc: Gerd Hoffmann
Hi,
Input patch queue, with a new tracepoint and two bugfixes (one of them
cve).
please pull,
Gerd
The following changes since commit e619b14746e5d8c0e53061661fd0e1da01fd4d60:
Merge remote-tracking branch 'sthibault/tags/samuel-thibault' into staging (2017-05-02 15:16:29 +0100)
are available in the git repository at:
git://git.kraxel.org/qemu tags/pull-input-20170504-1
for you to fetch changes up to 2222e0a633070f7f3eafcc9d0e95e7f1a4e6fe36:
input: Add trace event for empty keyboard queue (2017-05-03 14:20:12 +0200)
----------------------------------------------------------------
input: limit kbd queue depth
input: don't queue delay if paused
input: Add trace event for empty keyboard queue
----------------------------------------------------------------
Alexander Graf (1):
input: Add trace event for empty keyboard queue
Gerd Hoffmann (1):
input: limit kbd queue depth
Marc-André Lureau (1):
input: don't queue delay if paused
hw/input/hid.c | 4 ++++
ui/input.c | 18 +++++++++++++++---
hw/input/trace-events | 1 +
3 files changed, 20 insertions(+), 3 deletions(-)
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Qemu-devel] [PULL 1/3] input: limit kbd queue depth
2017-05-04 5:50 [Qemu-devel] [PULL 0/3] input patch queue Gerd Hoffmann
@ 2017-05-04 5:50 ` Gerd Hoffmann
2017-05-04 5:50 ` [Qemu-devel] [PULL 2/3] input: don't queue delay if paused Gerd Hoffmann
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Gerd Hoffmann @ 2017-05-04 5:50 UTC (permalink / raw)
To: qemu-devel; +Cc: Gerd Hoffmann, P J P, Huawei PSIRT
Apply a limit to the number of items we accept into the keyboard queue.
Impact: Without this limit vnc clients can exhaust host memory by
sending keyboard events faster than qemu feeds them to the guest.
Fixes: CVE-2017-8379
Cc: P J P <ppandit@redhat.com>
Cc: Huawei PSIRT <PSIRT@huawei.com>
Reported-by: jiangxin1@huawei.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20170428084237.23960-1-kraxel@redhat.com
---
ui/input.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/ui/input.c b/ui/input.c
index ed88cda6d6..fb1f404095 100644
--- a/ui/input.c
+++ b/ui/input.c
@@ -41,6 +41,8 @@ static QTAILQ_HEAD(QemuInputEventQueueHead, QemuInputEventQueue) kbd_queue =
QTAILQ_HEAD_INITIALIZER(kbd_queue);
static QEMUTimer *kbd_timer;
static uint32_t kbd_default_delay_ms = 10;
+static uint32_t queue_count;
+static uint32_t queue_limit = 1024;
QemuInputHandlerState *qemu_input_handler_register(DeviceState *dev,
QemuInputHandler *handler)
@@ -268,6 +270,7 @@ static void qemu_input_queue_process(void *opaque)
break;
}
QTAILQ_REMOVE(queue, item, node);
+ queue_count--;
g_free(item);
}
}
@@ -282,6 +285,7 @@ static void qemu_input_queue_delay(struct QemuInputEventQueueHead *queue,
item->delay_ms = delay_ms;
item->timer = timer;
QTAILQ_INSERT_TAIL(queue, item, node);
+ queue_count++;
if (start_timer) {
timer_mod(item->timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL)
@@ -298,6 +302,7 @@ static void qemu_input_queue_event(struct QemuInputEventQueueHead *queue,
item->src = src;
item->evt = evt;
QTAILQ_INSERT_TAIL(queue, item, node);
+ queue_count++;
}
static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue)
@@ -306,6 +311,7 @@ static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue)
item->type = QEMU_INPUT_QUEUE_SYNC;
QTAILQ_INSERT_TAIL(queue, item, node);
+ queue_count++;
}
void qemu_input_event_send_impl(QemuConsole *src, InputEvent *evt)
@@ -381,7 +387,7 @@ void qemu_input_event_send_key(QemuConsole *src, KeyValue *key, bool down)
qemu_input_event_send(src, evt);
qemu_input_event_sync();
qapi_free_InputEvent(evt);
- } else {
+ } else if (queue_count < queue_limit) {
qemu_input_queue_event(&kbd_queue, src, evt);
qemu_input_queue_sync(&kbd_queue);
}
@@ -409,8 +415,10 @@ void qemu_input_event_send_key_delay(uint32_t delay_ms)
kbd_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL, qemu_input_queue_process,
&kbd_queue);
}
- qemu_input_queue_delay(&kbd_queue, kbd_timer,
- delay_ms ? delay_ms : kbd_default_delay_ms);
+ if (queue_count < queue_limit) {
+ qemu_input_queue_delay(&kbd_queue, kbd_timer,
+ delay_ms ? delay_ms : kbd_default_delay_ms);
+ }
}
InputEvent *qemu_input_event_new_btn(InputButton btn, bool down)
--
2.9.3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Qemu-devel] [PULL 2/3] input: don't queue delay if paused
2017-05-04 5:50 [Qemu-devel] [PULL 0/3] input patch queue Gerd Hoffmann
2017-05-04 5:50 ` [Qemu-devel] [PULL 1/3] input: limit kbd queue depth Gerd Hoffmann
@ 2017-05-04 5:50 ` Gerd Hoffmann
2017-05-04 5:50 ` [Qemu-devel] [PULL 3/3] input: Add trace event for empty keyboard queue Gerd Hoffmann
2017-05-05 15:44 ` [Qemu-devel] [PULL 0/3] input patch queue Stefan Hajnoczi
3 siblings, 0 replies; 5+ messages in thread
From: Gerd Hoffmann @ 2017-05-04 5:50 UTC (permalink / raw)
To: qemu-devel; +Cc: Marc-André Lureau, Gerd Hoffmann
From: Marc-André Lureau <marcandre.lureau@redhat.com>
qemu_input_event_send() discards key event when the guest is paused,
but not the delay.
The delay ends up in the input queue, and qemu_input_event_send_key()
will further fill the queue with upcoming events.
VNC uses qemu_input_event_send_key_delay(), not SPICE, which results
in a different input behaviour on pause: VNC will queue the events
(except the first that is discarded), SPICE will discard all events.
Don't queue delay if paused, and provide same behaviour on SPICE and
VNC clients on resume (and potentially avoid over-allocating the
buffer queue)
Fixes:
https://bugzilla.redhat.com/show_bug.cgi?id=1444326
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20170425130520.31819-1-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
ui/input.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/ui/input.c b/ui/input.c
index fb1f404095..830f912f99 100644
--- a/ui/input.c
+++ b/ui/input.c
@@ -411,6 +411,10 @@ void qemu_input_event_send_key_qcode(QemuConsole *src, QKeyCode q, bool down)
void qemu_input_event_send_key_delay(uint32_t delay_ms)
{
+ if (!runstate_is_running() && !runstate_check(RUN_STATE_SUSPENDED)) {
+ return;
+ }
+
if (!kbd_timer) {
kbd_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL, qemu_input_queue_process,
&kbd_queue);
--
2.9.3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Qemu-devel] [PULL 3/3] input: Add trace event for empty keyboard queue
2017-05-04 5:50 [Qemu-devel] [PULL 0/3] input patch queue Gerd Hoffmann
2017-05-04 5:50 ` [Qemu-devel] [PULL 1/3] input: limit kbd queue depth Gerd Hoffmann
2017-05-04 5:50 ` [Qemu-devel] [PULL 2/3] input: don't queue delay if paused Gerd Hoffmann
@ 2017-05-04 5:50 ` Gerd Hoffmann
2017-05-05 15:44 ` [Qemu-devel] [PULL 0/3] input patch queue Stefan Hajnoczi
3 siblings, 0 replies; 5+ messages in thread
From: Gerd Hoffmann @ 2017-05-04 5:50 UTC (permalink / raw)
To: qemu-devel; +Cc: Alexander Graf, Gerd Hoffmann
From: Alexander Graf <agraf@suse.de>
When driving QEMU from the outside, we have basically no chance to
determine how quickly the guest OS picks up key events, so we usually
have to limit ourselves to very slow keyboard presses to make sure
the guest always has enough chance to pick them up.
This patch adds a trace events when the keyboarde queue is drained.
An external driver can use that as hint that new keys can be pressed.
Signed-off-by: Alexander Graf <agraf@suse.de>
Message-id: 1490883775-94658-1-git-send-email-agraf@suse.de
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/input/hid.c | 4 ++++
hw/input/trace-events | 1 +
2 files changed, 5 insertions(+)
diff --git a/hw/input/hid.c b/hw/input/hid.c
index fa9cc4c616..93887ecc43 100644
--- a/hw/input/hid.c
+++ b/hw/input/hid.c
@@ -256,6 +256,10 @@ static void hid_keyboard_process_keycode(HIDState *hs)
slot = hs->head & QUEUE_MASK; QUEUE_INCR(hs->head); hs->n--;
keycode = hs->kbd.keycodes[slot];
+ if (!hs->n) {
+ trace_hid_kbd_queue_empty();
+ }
+
key = keycode & 0x7f;
index = key | ((hs->kbd.modifiers & (1 << 8)) >> 1);
hid_code = hid_usage_keys[index];
diff --git a/hw/input/trace-events b/hw/input/trace-events
index f3bfbede5c..5a87818b49 100644
--- a/hw/input/trace-events
+++ b/hw/input/trace-events
@@ -24,6 +24,7 @@ milkymist_softusb_pulse_irq(void) "Pulse IRQ"
# hw/input/hid.c
hid_kbd_queue_full(void) "queue full"
+hid_kbd_queue_empty(void) "queue empty"
# hw/input/virtio
virtio_input_queue_full(void) "queue full"
--
2.9.3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PULL 0/3] input patch queue
2017-05-04 5:50 [Qemu-devel] [PULL 0/3] input patch queue Gerd Hoffmann
` (2 preceding siblings ...)
2017-05-04 5:50 ` [Qemu-devel] [PULL 3/3] input: Add trace event for empty keyboard queue Gerd Hoffmann
@ 2017-05-05 15:44 ` Stefan Hajnoczi
3 siblings, 0 replies; 5+ messages in thread
From: Stefan Hajnoczi @ 2017-05-05 15:44 UTC (permalink / raw)
To: Gerd Hoffmann; +Cc: qemu-devel
[-- Attachment #1: Type: text/plain, Size: 1423 bytes --]
On Thu, May 04, 2017 at 07:50:37AM +0200, Gerd Hoffmann wrote:
> Hi,
>
> Input patch queue, with a new tracepoint and two bugfixes (one of them
> cve).
>
> please pull,
> Gerd
>
> The following changes since commit e619b14746e5d8c0e53061661fd0e1da01fd4d60:
>
> Merge remote-tracking branch 'sthibault/tags/samuel-thibault' into staging (2017-05-02 15:16:29 +0100)
>
> are available in the git repository at:
>
> git://git.kraxel.org/qemu tags/pull-input-20170504-1
>
> for you to fetch changes up to 2222e0a633070f7f3eafcc9d0e95e7f1a4e6fe36:
>
> input: Add trace event for empty keyboard queue (2017-05-03 14:20:12 +0200)
>
> ----------------------------------------------------------------
> input: limit kbd queue depth
> input: don't queue delay if paused
> input: Add trace event for empty keyboard queue
>
> ----------------------------------------------------------------
> Alexander Graf (1):
> input: Add trace event for empty keyboard queue
>
> Gerd Hoffmann (1):
> input: limit kbd queue depth
>
> Marc-André Lureau (1):
> input: don't queue delay if paused
>
> hw/input/hid.c | 4 ++++
> ui/input.c | 18 +++++++++++++++---
> hw/input/trace-events | 1 +
> 3 files changed, 20 insertions(+), 3 deletions(-)
>
Thanks, applied to my staging tree:
https://github.com/stefanha/qemu/commits/staging
Stefan
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 455 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-05-05 15:44 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-05-04 5:50 [Qemu-devel] [PULL 0/3] input patch queue Gerd Hoffmann
2017-05-04 5:50 ` [Qemu-devel] [PULL 1/3] input: limit kbd queue depth Gerd Hoffmann
2017-05-04 5:50 ` [Qemu-devel] [PULL 2/3] input: don't queue delay if paused Gerd Hoffmann
2017-05-04 5:50 ` [Qemu-devel] [PULL 3/3] input: Add trace event for empty keyboard queue Gerd Hoffmann
2017-05-05 15:44 ` [Qemu-devel] [PULL 0/3] input patch queue Stefan Hajnoczi
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.