* [PULL 0/3] Fixes 20201104 patches
@ 2020-11-04 15:46 Gerd Hoffmann
2020-11-04 15:46 ` [PULL 1/3] vnc: fix resource leak when websocket channel error Gerd Hoffmann
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Gerd Hoffmann @ 2020-11-04 15:46 UTC (permalink / raw)
To: qemu-devel; +Cc: Gerd Hoffmann
The following changes since commit 3d6e32347a3b57dac7f469a07c5f520e69bd070a:
Update version for v5.2.0-rc0 release (2020-11-03 21:11:57 +0000)
are available in the Git repository at:
git://git.kraxel.org/qemu tags/fixes-20201104-pull-request
for you to fetch changes up to 577b808b0974fa4af53131cdfece6e9de3c6e4fd:
roms/Makefile: Add qboot to .PHONY list (2020-11-04 08:25:17 +0100)
----------------------------------------------------------------
misc bugfixes for 5.2
----------------------------------------------------------------
Bruce Rogers (1):
roms/Makefile: Add qboot to .PHONY list
Ding Hui (1):
vnc: fix resource leak when websocket channel error
Prasad J Pandit (1):
ati: check x y display parameter values
hw/display/ati_2d.c | 10 ++++++----
ui/vnc-auth-sasl.c | 3 ++-
ui/vnc-auth-vencrypt.c | 3 ++-
ui/vnc-jobs.c | 3 ++-
ui/vnc-ws.c | 20 ++++++++++++++++----
ui/vnc.c | 24 ++++++++++++++++++------
roms/Makefile | 2 +-
7 files changed, 47 insertions(+), 18 deletions(-)
--
2.27.0
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PULL 1/3] vnc: fix resource leak when websocket channel error
2020-11-04 15:46 [PULL 0/3] Fixes 20201104 patches Gerd Hoffmann
@ 2020-11-04 15:46 ` Gerd Hoffmann
2020-11-04 15:46 ` [PULL 2/3] ati: check x y display parameter values Gerd Hoffmann
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Gerd Hoffmann @ 2020-11-04 15:46 UTC (permalink / raw)
To: qemu-devel; +Cc: Ding Hui, Gerd Hoffmann, qemu-stable
From: Ding Hui <dinghui@sangfor.com.cn>
When we connect to vnc by websocket channel, and disconnect
(maybe by some network exception) before handshake,
qemu will left CLOSE_WAIT socket and never close it
After 04d2529da2 ("ui: convert VNC server to use QIOChannelSocket")
and dd154c4d9f ("io: fix handling of EOF / error conditions in websock GSource"),
the vnc call qio_channel_add_watch only care about G_IO_IN,
but mising G_IO_HUP and G_IO_ERR.
When the websocket channel get EOF or error, it cannot callback,
because the caller ignore the event, that leads to resource leak
We need handle G_IO_HUP and G_IO_ERR event, then cleanup the channel
Fixes: 04d2529da2 ("ui: convert VNC server to use QIOChannelSocket")
Fixes: dd154c4d9f ("io: fix handling of EOF / error conditions in websock GSource")
Cc: qemu-stable@nongnu.org
Signed-off-by: Ding Hui <dinghui@sangfor.com.cn>
Message-id: 20201029032241.11040-1-dinghui@sangfor.com.cn
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
ui/vnc-auth-sasl.c | 3 ++-
ui/vnc-auth-vencrypt.c | 3 ++-
ui/vnc-jobs.c | 3 ++-
ui/vnc-ws.c | 20 ++++++++++++++++----
ui/vnc.c | 24 ++++++++++++++++++------
5 files changed, 40 insertions(+), 13 deletions(-)
diff --git a/ui/vnc-auth-sasl.c b/ui/vnc-auth-sasl.c
index 0517b2ead9ce..f67111a3662a 100644
--- a/ui/vnc-auth-sasl.c
+++ b/ui/vnc-auth-sasl.c
@@ -111,7 +111,8 @@ size_t vnc_client_write_sasl(VncState *vs)
g_source_remove(vs->ioc_tag);
}
vs->ioc_tag = qio_channel_add_watch(
- vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
+ vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
+ vnc_client_io, vs, NULL);
}
return ret;
diff --git a/ui/vnc-auth-vencrypt.c b/ui/vnc-auth-vencrypt.c
index f072e16aceb1..d9c212ff3286 100644
--- a/ui/vnc-auth-vencrypt.c
+++ b/ui/vnc-auth-vencrypt.c
@@ -79,7 +79,8 @@ static void vnc_tls_handshake_done(QIOTask *task,
g_source_remove(vs->ioc_tag);
}
vs->ioc_tag = qio_channel_add_watch(
- vs->ioc, G_IO_IN | G_IO_OUT, vnc_client_io, vs, NULL);
+ vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR | G_IO_OUT,
+ vnc_client_io, vs, NULL);
start_auth_vencrypt_subauth(vs);
}
}
diff --git a/ui/vnc-jobs.c b/ui/vnc-jobs.c
index 929391f85d69..dbbfbefe5619 100644
--- a/ui/vnc-jobs.c
+++ b/ui/vnc-jobs.c
@@ -151,7 +151,8 @@ void vnc_jobs_consume_buffer(VncState *vs)
}
if (vs->disconnecting == FALSE) {
vs->ioc_tag = qio_channel_add_watch(
- vs->ioc, G_IO_IN | G_IO_OUT, vnc_client_io, vs, NULL);
+ vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR | G_IO_OUT,
+ vnc_client_io, vs, NULL);
}
}
buffer_move(&vs->output, &vs->jobs_buffer);
diff --git a/ui/vnc-ws.c b/ui/vnc-ws.c
index 95c9703c7240..6d79f3e5a5d8 100644
--- a/ui/vnc-ws.c
+++ b/ui/vnc-ws.c
@@ -41,13 +41,14 @@ static void vncws_tls_handshake_done(QIOTask *task,
g_source_remove(vs->ioc_tag);
}
vs->ioc_tag = qio_channel_add_watch(
- QIO_CHANNEL(vs->ioc), G_IO_IN, vncws_handshake_io, vs, NULL);
+ QIO_CHANNEL(vs->ioc), G_IO_IN | G_IO_HUP | G_IO_ERR,
+ vncws_handshake_io, vs, NULL);
}
}
gboolean vncws_tls_handshake_io(QIOChannel *ioc G_GNUC_UNUSED,
- GIOCondition condition G_GNUC_UNUSED,
+ GIOCondition condition,
void *opaque)
{
VncState *vs = opaque;
@@ -59,6 +60,11 @@ gboolean vncws_tls_handshake_io(QIOChannel *ioc G_GNUC_UNUSED,
vs->ioc_tag = 0;
}
+ if (condition & (G_IO_HUP | G_IO_ERR)) {
+ vnc_client_error(vs);
+ return TRUE;
+ }
+
tls = qio_channel_tls_new_server(
vs->ioc,
vs->vd->tlscreds,
@@ -105,13 +111,14 @@ static void vncws_handshake_done(QIOTask *task,
g_source_remove(vs->ioc_tag);
}
vs->ioc_tag = qio_channel_add_watch(
- vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
+ vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
+ vnc_client_io, vs, NULL);
}
}
gboolean vncws_handshake_io(QIOChannel *ioc G_GNUC_UNUSED,
- GIOCondition condition G_GNUC_UNUSED,
+ GIOCondition condition,
void *opaque)
{
VncState *vs = opaque;
@@ -122,6 +129,11 @@ gboolean vncws_handshake_io(QIOChannel *ioc G_GNUC_UNUSED,
vs->ioc_tag = 0;
}
+ if (condition & (G_IO_HUP | G_IO_ERR)) {
+ vnc_client_error(vs);
+ return TRUE;
+ }
+
wioc = qio_channel_websock_new_server(vs->ioc);
qio_channel_set_name(QIO_CHANNEL(wioc), "vnc-ws-server-websock");
diff --git a/ui/vnc.c b/ui/vnc.c
index f006aa1afdb2..49235056f7a8 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -1398,7 +1398,8 @@ static size_t vnc_client_write_plain(VncState *vs)
g_source_remove(vs->ioc_tag);
}
vs->ioc_tag = qio_channel_add_watch(
- vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
+ vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
+ vnc_client_io, vs, NULL);
}
return ret;
@@ -1435,7 +1436,8 @@ static void vnc_client_write(VncState *vs)
g_source_remove(vs->ioc_tag);
}
vs->ioc_tag = qio_channel_add_watch(
- vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
+ vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
+ vnc_client_io, vs, NULL);
}
vnc_unlock_output(vs);
}
@@ -1551,6 +1553,12 @@ gboolean vnc_client_io(QIOChannel *ioc G_GNUC_UNUSED,
VncState *vs = opaque;
assert(vs->magic == VNC_MAGIC);
+
+ if (condition & (G_IO_HUP | G_IO_ERR)) {
+ vnc_disconnect_start(vs);
+ return TRUE;
+ }
+
if (condition & G_IO_IN) {
if (vnc_client_read(vs) < 0) {
/* vs is free()ed here */
@@ -1612,7 +1620,8 @@ void vnc_write(VncState *vs, const void *data, size_t len)
g_source_remove(vs->ioc_tag);
}
vs->ioc_tag = qio_channel_add_watch(
- vs->ioc, G_IO_IN | G_IO_OUT, vnc_client_io, vs, NULL);
+ vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR | G_IO_OUT,
+ vnc_client_io, vs, NULL);
}
buffer_append(&vs->output, data, len);
@@ -3077,14 +3086,17 @@ static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc,
vs->websocket = 1;
if (vd->tlscreds) {
vs->ioc_tag = qio_channel_add_watch(
- vs->ioc, G_IO_IN, vncws_tls_handshake_io, vs, NULL);
+ vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
+ vncws_tls_handshake_io, vs, NULL);
} else {
vs->ioc_tag = qio_channel_add_watch(
- vs->ioc, G_IO_IN, vncws_handshake_io, vs, NULL);
+ vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
+ vncws_handshake_io, vs, NULL);
}
} else {
vs->ioc_tag = qio_channel_add_watch(
- vs->ioc, G_IO_IN, vnc_client_io, vs, NULL);
+ vs->ioc, G_IO_IN | G_IO_HUP | G_IO_ERR,
+ vnc_client_io, vs, NULL);
}
vnc_client_cache_addr(vs);
--
2.27.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PULL 2/3] ati: check x y display parameter values
2020-11-04 15:46 [PULL 0/3] Fixes 20201104 patches Gerd Hoffmann
2020-11-04 15:46 ` [PULL 1/3] vnc: fix resource leak when websocket channel error Gerd Hoffmann
@ 2020-11-04 15:46 ` Gerd Hoffmann
2020-11-04 15:46 ` [PULL 3/3] roms/Makefile: Add qboot to .PHONY list Gerd Hoffmann
2020-11-05 11:10 ` [PULL 0/3] Fixes 20201104 patches Peter Maydell
3 siblings, 0 replies; 5+ messages in thread
From: Gerd Hoffmann @ 2020-11-04 15:46 UTC (permalink / raw)
To: qemu-devel; +Cc: Gaoning Pan, Gerd Hoffmann, Prasad J Pandit
From: Prasad J Pandit <pjp@fedoraproject.org>
The source and destination x,y display parameters in ati_2d_blt()
may run off the vga limits if either of s->regs.[src|dst]_[xy] is
zero. Check the parameter values to avoid potential crash.
Reported-by: Gaoning Pan <pgn@zju.edu.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 20201021103818.1704030-1-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/display/ati_2d.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
index 23a8ae0cd8ce..4dc10ea79529 100644
--- a/hw/display/ati_2d.c
+++ b/hw/display/ati_2d.c
@@ -75,8 +75,9 @@ void ati_2d_blt(ATIVGAState *s)
dst_stride *= bpp;
}
uint8_t *end = s->vga.vram_ptr + s->vga.vram_size;
- if (dst_bits >= end || dst_bits + dst_x + (dst_y + s->regs.dst_height) *
- dst_stride >= end) {
+ if (dst_x > 0x3fff || dst_y > 0x3fff || dst_bits >= end
+ || dst_bits + dst_x
+ + (dst_y + s->regs.dst_height) * dst_stride >= end) {
qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
return;
}
@@ -107,8 +108,9 @@ void ati_2d_blt(ATIVGAState *s)
src_bits += s->regs.crtc_offset & 0x07ffffff;
src_stride *= bpp;
}
- if (src_bits >= end || src_bits + src_x +
- (src_y + s->regs.dst_height) * src_stride >= end) {
+ if (src_x > 0x3fff || src_y > 0x3fff || src_bits >= end
+ || src_bits + src_x
+ + (src_y + s->regs.dst_height) * src_stride >= end) {
qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
return;
}
--
2.27.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PULL 3/3] roms/Makefile: Add qboot to .PHONY list
2020-11-04 15:46 [PULL 0/3] Fixes 20201104 patches Gerd Hoffmann
2020-11-04 15:46 ` [PULL 1/3] vnc: fix resource leak when websocket channel error Gerd Hoffmann
2020-11-04 15:46 ` [PULL 2/3] ati: check x y display parameter values Gerd Hoffmann
@ 2020-11-04 15:46 ` Gerd Hoffmann
2020-11-05 11:10 ` [PULL 0/3] Fixes 20201104 patches Peter Maydell
3 siblings, 0 replies; 5+ messages in thread
From: Gerd Hoffmann @ 2020-11-04 15:46 UTC (permalink / raw)
To: qemu-devel; +Cc: Gerd Hoffmann, Bruce Rogers
From: Bruce Rogers <brogers@suse.com>
Adding qboot to the .PHONY directive will allow a
make -C roms qboot invocation to work as expected
Signed-off-by: Bruce Rogers <brogers@suse.com>
Message-id: 20201020152512.837769-1-brogers@suse.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
roms/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/roms/Makefile b/roms/Makefile
index 1489d47350f2..7045e374d339 100644
--- a/roms/Makefile
+++ b/roms/Makefile
@@ -102,7 +102,7 @@ build-seabios-config-%: config.%
OUT=$(CURDIR)/seabios/builds/$*/ all
-.PHONY: sgabios skiboot
+.PHONY: sgabios skiboot qboot
sgabios:
$(MAKE) -C sgabios
cp sgabios/sgabios.bin ../pc-bios
--
2.27.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PULL 0/3] Fixes 20201104 patches
2020-11-04 15:46 [PULL 0/3] Fixes 20201104 patches Gerd Hoffmann
` (2 preceding siblings ...)
2020-11-04 15:46 ` [PULL 3/3] roms/Makefile: Add qboot to .PHONY list Gerd Hoffmann
@ 2020-11-05 11:10 ` Peter Maydell
3 siblings, 0 replies; 5+ messages in thread
From: Peter Maydell @ 2020-11-05 11:10 UTC (permalink / raw)
To: Gerd Hoffmann; +Cc: QEMU Developers
On Wed, 4 Nov 2020 at 15:49, Gerd Hoffmann <kraxel@redhat.com> wrote:
>
> The following changes since commit 3d6e32347a3b57dac7f469a07c5f520e69bd070a:
>
> Update version for v5.2.0-rc0 release (2020-11-03 21:11:57 +0000)
>
> are available in the Git repository at:
>
> git://git.kraxel.org/qemu tags/fixes-20201104-pull-request
>
> for you to fetch changes up to 577b808b0974fa4af53131cdfece6e9de3c6e4fd:
>
> roms/Makefile: Add qboot to .PHONY list (2020-11-04 08:25:17 +0100)
>
> ----------------------------------------------------------------
> misc bugfixes for 5.2
>
> ----------------------------------------------------------------
Applied, thanks.
Please update the changelog at https://wiki.qemu.org/ChangeLog/5.2
for any user-visible changes.
-- PMM
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-11-05 11:11 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-04 15:46 [PULL 0/3] Fixes 20201104 patches Gerd Hoffmann
2020-11-04 15:46 ` [PULL 1/3] vnc: fix resource leak when websocket channel error Gerd Hoffmann
2020-11-04 15:46 ` [PULL 2/3] ati: check x y display parameter values Gerd Hoffmann
2020-11-04 15:46 ` [PULL 3/3] roms/Makefile: Add qboot to .PHONY list Gerd Hoffmann
2020-11-05 11:10 ` [PULL 0/3] Fixes 20201104 patches Peter Maydell
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).