[PULL 0/3] Vga 20210615 patches

[PULL 0/3] Vga 20210615 patches

[Gerd Hoffmann]

The following changes since commit 1ea06abceec61b6f3ab33dadb0510b6e09fb61e2:

  Merge remote-tracking branch 'remotes/berrange-gitlab/tags/misc-fixes-pull-request' into staging (2021-06-14 15:59:13 +0100)

are available in the Git repository at:

  git://git.kraxel.org/qemu tags/vga-20210615-pull-request

for you to fetch changes up to 4fa7b4cc500e1fbd8c11e65548b7713db81e75ff:

  virtio-gpu: move scanout_id sanity check (2021-06-15 07:16:56 +0200)

----------------------------------------------------------------
vga: fixes for stdvga, vhost-user-gpu and virtio-gpu.

----------------------------------------------------------------

Dennis Wölfing (1):
  vga: Allow writing VBE_DISPI_ID5 to ID register

Gerd Hoffmann (2):
  vhost-user-gpu: reorder free calls.
  virtio-gpu: move scanout_id sanity check

 contrib/vhost-user-gpu/vhost-user-gpu.c |  2 +-
 hw/display/vga.c                        |  3 ++-
 hw/display/virtio-gpu.c                 | 20 ++++++++++++++------
 3 files changed, 17 insertions(+), 8 deletions(-)

-- 
2.31.1

[PULL 1/3] vga: Allow writing VBE_DISPI_ID5 to ID register

[Gerd Hoffmann]

From: Dennis Wölfing <denniswoelfing@gmx.de>

The highest VBE_DISPI_INDEX_ID version supported by QEMU is
VBE_DISPI_ID5. But currently QEMU only allows writing values up to
VBE_DISPI_ID4 to the VBE_DISPI_INDEX_ID register.

As a result of this when a lower version is written to this register and
later VBE_DISPI_ID5 is written back, reads from the register will
continue to report the lower version.

Indeed SeaBIOS is doing that during VGA initialization which causes
guests to always read VBE_DISPI_ID0 instead of the correct version.

Signed-off-by: Dennis Wölfing <denniswoelfing@gmx.de>
Message-Id: <20210607115303.228659-1-denniswoelfing@gmx.de>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/display/vga.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/display/vga.c b/hw/display/vga.c
index 28a90e30d0cf..9d1f66af402e 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -752,7 +752,8 @@ void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val)
                 val == VBE_DISPI_ID1 ||
                 val == VBE_DISPI_ID2 ||
                 val == VBE_DISPI_ID3 ||
-                val == VBE_DISPI_ID4) {
+                val == VBE_DISPI_ID4 ||
+                val == VBE_DISPI_ID5) {
                 s->vbe_regs[s->vbe_index] = val;
             }
             break;
-- 
2.31.1

[PULL 2/3] vhost-user-gpu: reorder free calls.

[Gerd Hoffmann]

Free in correct order to avoid use-after-free.

Resolves: CID 1453812
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Li Qiang <liq3ea@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20210604103714.1237414-1-kraxel@redhat.com>
---
 contrib/vhost-user-gpu/vhost-user-gpu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c
index 6dc6a44f4e26..611360e6b475 100644
--- a/contrib/vhost-user-gpu/vhost-user-gpu.c
+++ b/contrib/vhost-user-gpu/vhost-user-gpu.c
@@ -350,8 +350,8 @@ vg_resource_create_2d(VuGpu *g,
     if (!res->image) {
         g_critical("%s: resource creation failed %d %d %d",
                    __func__, c2d.resource_id, c2d.width, c2d.height);
-        g_free(res);
         vugbm_buffer_destroy(&res->buffer);
+        g_free(res);
         cmd->error = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY;
         return;
     }
-- 
2.31.1

[PULL 3/3] virtio-gpu: move scanout_id sanity check

[Gerd Hoffmann]

Checking scanout_id in virtio_gpu_do_set_scanout() is too late, for the
"resource_id == 0" case (aka disable scanout) the scanout_id is used
unchecked.  Move the check into the callers to fix that.

Fixes: e64d4b6a9bc3 ("virtio-gpu: Refactor virtio_gpu_set_scanout")
Fixes: 32db3c63ae11 ("virtio-gpu: Add virtio_gpu_set_scanout_blob")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/383
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
Reviewed-by: Li Qiang <liq3ea@gmail.com>
Message-Id: <20210604075029.1201478-1-kraxel@redhat.com>
---
 hw/display/virtio-gpu.c | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index 4d549377cbc1..e183f4ecdaa5 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -610,12 +610,6 @@ static void virtio_gpu_do_set_scanout(VirtIOGPU *g,
     struct virtio_gpu_scanout *scanout;
     uint8_t *data;
 
-    if (scanout_id >= g->parent_obj.conf.max_outputs) {
-        qemu_log_mask(LOG_GUEST_ERROR, "%s: illegal scanout id specified %d",
-                      __func__, scanout_id);
-        *error = VIRTIO_GPU_RESP_ERR_INVALID_SCANOUT_ID;
-        return;
-    }
     scanout = &g->parent_obj.scanout[scanout_id];
 
     if (r->x > fb->width ||
@@ -694,6 +688,13 @@ static void virtio_gpu_set_scanout(VirtIOGPU *g,
     trace_virtio_gpu_cmd_set_scanout(ss.scanout_id, ss.resource_id,
                                      ss.r.width, ss.r.height, ss.r.x, ss.r.y);
 
+    if (ss.scanout_id >= g->parent_obj.conf.max_outputs) {
+        qemu_log_mask(LOG_GUEST_ERROR, "%s: illegal scanout id specified %d",
+                      __func__, ss.scanout_id);
+        cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_SCANOUT_ID;
+        return;
+    }
+
     if (ss.resource_id == 0) {
         virtio_gpu_disable_scanout(g, ss.scanout_id);
         return;
@@ -730,6 +731,13 @@ static void virtio_gpu_set_scanout_blob(VirtIOGPU *g,
                                           ss.r.width, ss.r.height, ss.r.x,
                                           ss.r.y);
 
+    if (ss.scanout_id >= g->parent_obj.conf.max_outputs) {
+        qemu_log_mask(LOG_GUEST_ERROR, "%s: illegal scanout id specified %d",
+                      __func__, ss.scanout_id);
+        cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_SCANOUT_ID;
+        return;
+    }
+
     if (ss.resource_id == 0) {
         virtio_gpu_disable_scanout(g, ss.scanout_id);
         return;
-- 
2.31.1

Re: [PULL 0/3] Vga 20210615 patches

[Peter Maydell]

On Tue, 15 Jun 2021 at 18:45, Gerd Hoffmann <kraxel@redhat.com> wrote:
>
> The following changes since commit 1ea06abceec61b6f3ab33dadb0510b6e09fb61e2:
>
>   Merge remote-tracking branch 'remotes/berrange-gitlab/tags/misc-fixes-pull-request' into staging (2021-06-14 15:59:13 +0100)
>
> are available in the Git repository at:
>
>   git://git.kraxel.org/qemu tags/vga-20210615-pull-request
>
> for you to fetch changes up to 4fa7b4cc500e1fbd8c11e65548b7713db81e75ff:
>
>   virtio-gpu: move scanout_id sanity check (2021-06-15 07:16:56 +0200)
>
> ----------------------------------------------------------------
> vga: fixes for stdvga, vhost-user-gpu and virtio-gpu.
>
> ----------------------------------------------------------------
>
> Dennis Wölfing (1):
>   vga: Allow writing VBE_DISPI_ID5 to ID register
>
> Gerd Hoffmann (2):
>   vhost-user-gpu: reorder free calls.
>   virtio-gpu: move scanout_id sanity check


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/6.1
for any user-visible changes.

-- PMM