[Qemu-devel] [PATCH v8 1/4] qxl/update_area_io: guest_bug on invalid parameters

[Qemu-devel] [PATCH v8 1/4] qxl/update_area_io: guest_bug on invalid parameters

[Alon Levy]

Signed-off-by: Alon Levy <alevy@redhat.com>
---

Changes for patchset v7->v8:
 QXL_IO_MONITORS_CONFIG_ASYNC is defined even when spice-protocol < 0.12 (Gerd Hoffman)
 QXL_HAS_.. is either defined or not, same as other feature definitions (Blue Swirl)

 Only the third patch "qxl: add QXL_IO_MONITORS_CONFIG_ASYNC" is affected.

 hw/qxl.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/hw/qxl.c b/hw/qxl.c
index c2dd3b4..6c48eb9 100644
--- a/hw/qxl.c
+++ b/hw/qxl.c
@@ -1385,6 +1385,18 @@ async_common:
         QXLCookie *cookie = NULL;
         QXLRect update = d->ram->update_area;
 
+        if (d->ram->update_surface > NUM_SURFACES) {
+            qxl_set_guest_bug(d, "QXL_IO_UPDATE_AREA: invalid surface id %d\n",
+                              d->ram->update_surface);
+            return;
+        }
+        if (update.left >= update.right || update.top >= update.bottom) {
+            qxl_set_guest_bug(d,
+                    "QXL_IO_UPDATE_AREA: invalid area (%ux%u)x(%ux%u)\n",
+                    update.left, update.top, update.right, update.bottom);
+            return;
+        }
+
         if (async == QXL_ASYNC) {
             cookie = qxl_cookie_new(QXL_COOKIE_TYPE_IO,
                                     QXL_IO_UPDATE_AREA_ASYNC);
-- 
1.7.11.2

[Qemu-devel] [PATCH v8 2/4] qxl: disallow unknown revisions

[Alon Levy]

Signed-off-by: Alon Levy <alevy@redhat.com>
---
 hw/qxl.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/hw/qxl.c b/hw/qxl.c
index 6c48eb9..c978f5e 100644
--- a/hw/qxl.c
+++ b/hw/qxl.c
@@ -1797,10 +1797,13 @@ static int qxl_init_common(PCIQXLDevice *qxl)
         io_size = 16;
         break;
     case 3: /* qxl-3 */
-    default:
         pci_device_rev = QXL_DEFAULT_REVISION;
         io_size = msb_mask(QXL_IO_RANGE_SIZE * 2 - 1);
         break;
+    default:
+        error_report("Invalid revision %d for qxl device (max %d)",
+                     qxl->revision, QXL_DEFAULT_REVISION);
+        return -1;
     }
 
     pci_set_byte(&config[PCI_REVISION_ID], pci_device_rev);
-- 
1.7.11.2

[Qemu-devel] [PATCH v8 3/4] qxl: add QXL_IO_MONITORS_CONFIG_ASYNC

[Alon Levy]

Revision bumped to 4 for new IO support, enabled for spice-server >=
0.11.1. New io enabled iff revision is 4. Revision can be set to 4, and
defaults to 4, iff spice-server >= 0.11.1 && spice-protocol >=
0.12.0.

This io calls the corresponding new spice api
spice_qxl_monitors_config_async to let spice-server read a new guest set
monitors config and notify the client.

On migration reissue spice_qxl_monitors_config_async.

RHBZ: 770842

Signed-off-by: Alon Levy <alevy@redhat.com>
---
 configure          |  3 +++
 hw/qxl.c           | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++---
 hw/qxl.h           |  8 +++++++
 trace-events       |  1 +
 ui/spice-display.h |  1 +
 5 files changed, 76 insertions(+), 3 deletions(-)

diff --git a/configure b/configure
index cc774b5..ff6443e 100755
--- a/configure
+++ b/configure
@@ -2657,6 +2657,9 @@ EOF
     spice="yes"
     libs_softmmu="$libs_softmmu $spice_libs"
     QEMU_CFLAGS="$QEMU_CFLAGS $spice_cflags"
+    if $pkg_config --atleast-version=0.12.0 spice-protocol >/dev/null 2>&1; then
+        QEMU_CFLAGS="$QEMU_CFLAGS -DQXL_HAS_IO_MONITORS_CONFIG_ASYNC"
+    fi
   else
     if test "$spice" = "yes" ; then
       feature_not_found "spice"
diff --git a/hw/qxl.c b/hw/qxl.c
index c978f5e..f2534e4 100644
--- a/hw/qxl.c
+++ b/hw/qxl.c
@@ -27,6 +27,11 @@
 
 #include "qxl.h"
 
+#ifndef QXL_HAS_IO_MONITORS_CONFIG_ASYNC
+/* spice-protocol is too old, add missing definitions */
+#define QXL_IO_MONITORS_CONFIG_ASYNC (QXL_IO_FLUSH_RELEASE + 1)
+#endif
+
 /*
  * NOTE: SPICE_RING_PROD_ITEM accesses memory on the pci bar and as
  * such can be changed by the guest, so to avoid a guest trigerrable
@@ -249,6 +254,24 @@ static void qxl_spice_destroy_surfaces(PCIQXLDevice *qxl, qxl_async_io async)
     }
 }
 
+static void qxl_spice_monitors_config_async(PCIQXLDevice *qxl)
+{
+    trace_qxl_spice_monitors_config(qxl->id);
+/* 0x000b01 == 0.11.1 */
+#if SPICE_SERVER_VERSION >= 0x000b01 && \
+    defined(QXL_HAS_IO_MONITORS_CONFIG_ASYNC)
+    qxl->guest_monitors_config = qxl->ram->monitors_config;
+    spice_qxl_monitors_config_async(&qxl->ssd.qxl,
+            qxl->ram->monitors_config,
+            MEMSLOT_GROUP_GUEST,
+            (uintptr_t)qxl_cookie_new(QXL_COOKIE_TYPE_IO,
+                                      QXL_IO_MONITORS_CONFIG_ASYNC));
+#else
+    fprintf(stderr, "qxl: too old spice-protocol/spice-server for "
+            "QXL_IO_MONITORS_CONFIG_ASYNC\n");
+#endif
+}
+
 void qxl_spice_reset_image_cache(PCIQXLDevice *qxl)
 {
     trace_qxl_spice_reset_image_cache(qxl->id);
@@ -538,6 +561,7 @@ static const char *io_port_to_string(uint32_t io_port)
                                         = "QXL_IO_DESTROY_ALL_SURFACES_ASYNC",
         [QXL_IO_FLUSH_SURFACES_ASYNC]   = "QXL_IO_FLUSH_SURFACES_ASYNC",
         [QXL_IO_FLUSH_RELEASE]          = "QXL_IO_FLUSH_RELEASE",
+        [QXL_IO_MONITORS_CONFIG_ASYNC]  = "QXL_IO_MONITORS_CONFIG_ASYNC",
     };
     return io_port_to_string[io_port];
 }
@@ -819,6 +843,7 @@ static void interface_async_complete_io(PCIQXLDevice *qxl, QXLCookie *cookie)
     case QXL_IO_DESTROY_PRIMARY_ASYNC:
     case QXL_IO_UPDATE_AREA_ASYNC:
     case QXL_IO_FLUSH_SURFACES_ASYNC:
+    case QXL_IO_MONITORS_CONFIG_ASYNC:
         break;
     case QXL_IO_CREATE_PRIMARY_ASYNC:
         qxl_create_guest_primary_complete(qxl);
@@ -894,6 +919,8 @@ static void interface_async_complete(QXLInstance *sin, uint64_t cookie_token)
     case QXL_COOKIE_TYPE_RENDER_UPDATE_AREA:
         qxl_render_update_area_done(qxl, cookie);
         break;
+    case QXL_COOKIE_TYPE_POST_LOAD_MONITORS_CONFIG:
+        break;
     default:
         fprintf(stderr, "qxl: %s: unexpected cookie type %d\n",
                 __func__, cookie->type);
@@ -1314,6 +1341,13 @@ static void ioport_write(void *opaque, target_phys_addr_t addr,
         return;
     }
 
+    if (d->revision <= QXL_REVISION_STABLE_V10 &&
+        io_port >= QXL_IO_FLUSH_SURFACES_ASYNC) {
+        qxl_set_guest_bug(d, "unsupported io %d for revision %d\n",
+            io_port, d->revision);
+        return;
+    }
+
     switch (io_port) {
     case QXL_IO_RESET:
     case QXL_IO_SET_MODE:
@@ -1333,7 +1367,7 @@ static void ioport_write(void *opaque, target_phys_addr_t addr,
             io_port, io_port_to_string(io_port));
         /* be nice to buggy guest drivers */
         if (io_port >= QXL_IO_UPDATE_AREA_ASYNC &&
-            io_port <= QXL_IO_DESTROY_ALL_SURFACES_ASYNC) {
+            io_port < QXL_IO_RANGE_SIZE) {
             qxl_send_events(d, QXL_INTERRUPT_IO_CMD);
         }
         return;
@@ -1361,6 +1395,7 @@ static void ioport_write(void *opaque, target_phys_addr_t addr,
         io_port = QXL_IO_DESTROY_ALL_SURFACES;
         goto async_common;
     case QXL_IO_FLUSH_SURFACES_ASYNC:
+    case QXL_IO_MONITORS_CONFIG_ASYNC:
 async_common:
         async = QXL_ASYNC;
         qemu_mutex_lock(&d->async_lock);
@@ -1502,6 +1537,9 @@ async_common:
         d->mode = QXL_MODE_UNDEFINED;
         qxl_spice_destroy_surfaces(d, async);
         break;
+    case QXL_IO_MONITORS_CONFIG_ASYNC:
+        qxl_spice_monitors_config_async(d);
+        break;
     default:
         qxl_set_guest_bug(d, "%s: unexpected ioport=0x%x\n", __func__, io_port);
     }
@@ -1797,9 +1835,17 @@ static int qxl_init_common(PCIQXLDevice *qxl)
         io_size = 16;
         break;
     case 3: /* qxl-3 */
-        pci_device_rev = QXL_DEFAULT_REVISION;
+        pci_device_rev = QXL_REVISION_STABLE_V10;
+        io_size = 32; /* PCI region size must be pow2 */
+        break;
+/* 0x000b01 == 0.11.1 */
+#if SPICE_SERVER_VERSION >= 0x000b01 && \
+        defined(QXL_HAS_IO_MONITORS_CONFIG_ASYNC)
+    case 4: /* qxl-4 */
+        pci_device_rev = QXL_REVISION_STABLE_V12;
         io_size = msb_mask(QXL_IO_RANGE_SIZE * 2 - 1);
         break;
+#endif
     default:
         error_report("Invalid revision %d for qxl device (max %d)",
                      qxl->revision, QXL_DEFAULT_REVISION);
@@ -1998,7 +2044,20 @@ static int qxl_post_load(void *opaque, int version)
         }
         qxl_spice_loadvm_commands(d, cmds, out);
         g_free(cmds);
-
+        if (d->guest_monitors_config) {
+            /*
+             * don't use QXL_COOKIE_TYPE_IO:
+             *  - we are not running yet (post_load), we will assert
+             *    in send_events
+             *  - this is not a guest io, but a reply, so async_io isn't set.
+             */
+            spice_qxl_monitors_config_async(&d->ssd.qxl,
+                    d->guest_monitors_config,
+                    MEMSLOT_GROUP_GUEST,
+                    (uintptr_t)qxl_cookie_new(
+                        QXL_COOKIE_TYPE_POST_LOAD_MONITORS_CONFIG,
+                        0));
+        }
         break;
     case QXL_MODE_COMPAT:
         /* note: no need to call qxl_create_memslots, qxl_set_mode
@@ -2065,6 +2124,7 @@ static VMStateDescription qxl_vmstate = {
         VMSTATE_ARRAY(guest_surfaces.cmds, PCIQXLDevice, NUM_SURFACES, 0,
                       vmstate_info_uint64, uint64_t),
         VMSTATE_UINT64(guest_cursor, PCIQXLDevice),
+        VMSTATE_UINT64(guest_monitors_config, PCIQXLDevice),
         VMSTATE_END_OF_LIST()
     },
 };
diff --git a/hw/qxl.h b/hw/qxl.h
index 172baf6..b4fbe0e 100644
--- a/hw/qxl.h
+++ b/hw/qxl.h
@@ -71,6 +71,8 @@ typedef struct PCIQXLDevice {
     } guest_surfaces;
     QXLPHYSICAL        guest_cursor;
 
+    QXLPHYSICAL        guest_monitors_config;
+
     QemuMutex          track_lock;
 
     /* thread signaling */
@@ -128,7 +130,13 @@ typedef struct PCIQXLDevice {
         }                                                               \
     } while (0)
 
+/* 0x000b01 == 0.11.1 */
+#if SPICE_SERVER_VERSION >= 0x000b01 &&\
+    defined(QXL_HAS_IO_MONITORS_CONFIG_ASYNC)
+#define QXL_DEFAULT_REVISION QXL_REVISION_STABLE_V12
+#else
 #define QXL_DEFAULT_REVISION QXL_REVISION_STABLE_V10
+#endif
 
 /* qxl.c */
 void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id);
diff --git a/trace-events b/trace-events
index 04b0723..8fcbc50 100644
--- a/trace-events
+++ b/trace-events
@@ -956,6 +956,7 @@ qxl_spice_destroy_surfaces(int qid, int async) "%d async=%d"
 qxl_spice_destroy_surface_wait_complete(int qid, uint32_t id) "%d sid=%d"
 qxl_spice_destroy_surface_wait(int qid, uint32_t id, int async) "%d sid=%d async=%d"
 qxl_spice_flush_surfaces_async(int qid, uint32_t surface_count, uint32_t num_free_res) "%d s#=%d, res#=%d"
+qxl_spice_monitors_config(int id) "%d"
 qxl_spice_loadvm_commands(int qid, void *ext, uint32_t count) "%d ext=%p count=%d"
 qxl_spice_oom(int qid) "%d"
 qxl_spice_reset_cursor(int qid) "%d"
diff --git a/ui/spice-display.h b/ui/spice-display.h
index 12e50b6..7fa095f 100644
--- a/ui/spice-display.h
+++ b/ui/spice-display.h
@@ -51,6 +51,7 @@ typedef enum qxl_async_io {
 enum {
     QXL_COOKIE_TYPE_IO,
     QXL_COOKIE_TYPE_RENDER_UPDATE_AREA,
+    QXL_COOKIE_TYPE_POST_LOAD_MONITORS_CONFIG,
 };
 
 typedef struct QXLCookie {
-- 
1.7.11.2

Re: [Qemu-devel] [PATCH v8 3/4] qxl: add QXL_IO_MONITORS_CONFIG_ASYNC

[Gerd Hoffmann]

  Hi,

Patch looks alot nicer now with a bunch if #ifdefs removed.

One issue left I missed before:

>      case QXL_MODE_COMPAT:
>          /* note: no need to call qxl_create_memslots, qxl_set_mode
> @@ -2065,6 +2124,7 @@ static VMStateDescription qxl_vmstate = {
>          VMSTATE_ARRAY(guest_surfaces.cmds, PCIQXLDevice, NUM_SURFACES, 0,
>                        vmstate_info_uint64, uint64_t),
>          VMSTATE_UINT64(guest_cursor, PCIQXLDevice),
> +        VMSTATE_UINT64(guest_monitors_config, PCIQXLDevice),
>          VMSTATE_END_OF_LIST()
>      },

That breaks migration.

You probably want a subsection here which stuffs guest_monitors_config
into the stream only in case the guest has actually configured it, so
migration between qemu versions with & without monitor config support
keeps working as long as the guest doesn't use the new feature (or it is
disabled via rev=3).

cheers,
  Gerd

[Qemu-devel] [PATCH v8 4/4] configure: print spice-protocol and spice-server versions

[Alon Levy]

Signed-off-by: Alon Levy <alevy@redhat.com>
---
 configure | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/configure b/configure
index ff6443e..aae051b 100755
--- a/configure
+++ b/configure
@@ -2657,6 +2657,8 @@ EOF
     spice="yes"
     libs_softmmu="$libs_softmmu $spice_libs"
     QEMU_CFLAGS="$QEMU_CFLAGS $spice_cflags"
+    spice_protocol_version=$($pkg_config --modversion spice-protocol)
+    spice_server_version=$($pkg_config --modversion spice-server)
     if $pkg_config --atleast-version=0.12.0 spice-protocol >/dev/null 2>&1; then
         QEMU_CFLAGS="$QEMU_CFLAGS -DQXL_HAS_IO_MONITORS_CONFIG_ASYNC"
     fi
@@ -3114,7 +3116,7 @@ echo "libcap-ng support $cap_ng"
 echo "vhost-net support $vhost_net"
 echo "Trace backend     $trace_backend"
 echo "Trace output file $trace_file-<pid>"
-echo "spice support     $spice"
+echo "spice support     $spice ($spice_protocol_version/$spice_server_version)"
 echo "rbd support       $rbd"
 echo "xfsctl support    $xfs"
 echo "nss used          $smartcard_nss"
-- 
1.7.11.2