[Qemu-devel] [PULL 0/2] QMP queue

[Qemu-devel] [PULL 0/2] QMP queue

[Luiz Capitulino]

Two important fixes.

The changes (since 09dada400328d75daf79e3eca1e48e024fec148d) are available
in the following repository:

    git://repo.or.cz/qemu/qmp-unstable.git queue/qmp

Amos Kong (1):
  monitor: fix the wrong order of releasing keys

Luiz Capitulino (1):
  virtio-balloon: fix integer overflow in BALLOON_CHANGE QMP event

 hw/virtio/virtio-balloon.c | 2 +-
 ui/input.c                 | 8 +++-----
 2 files changed, 4 insertions(+), 6 deletions(-)

-- 
1.8.1.4

[Qemu-devel] [PULL 1/2] monitor: fix the wrong order of releasing keys

[Luiz Capitulino]

From: Amos Kong <akong@redhat.com>

(qemu) sendkey ctrl_r-scroll_lock-scroll_lock

Executing this command could not let Windows guest panic, it caused by
the wrong order of releasing keys. This problem was introduced by
commit e4c8f004c55d9da3eae3e14df740238bf805b5d6.

The right release order should be starting from last item.

Signed-off-by: Amos Kong <akong@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
---
 ui/input.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/ui/input.c b/ui/input.c
index 9abef0c..ecfeb43 100644
--- a/ui/input.c
+++ b/ui/input.c
@@ -234,13 +234,11 @@ static void free_keycodes(void)
 
 static void release_keys(void *opaque)
 {
-    int i;
-
-    for (i = 0; i < keycodes_size; i++) {
-        if (keycodes[i] & 0x80) {
+    while (keycodes_size > 0) {
+        if (keycodes[--keycodes_size] & 0x80) {
             kbd_put_keycode(0xe0);
         }
-        kbd_put_keycode(keycodes[i]| 0x80);
+        kbd_put_keycode(keycodes[keycodes_size] | 0x80);
     }
 
     free_keycodes();
-- 
1.8.1.4

[Qemu-devel] [PULL 2/2] virtio-balloon: fix integer overflow in BALLOON_CHANGE QMP event

[Luiz Capitulino]

Because dev->actual is uint32_t, the expression 'dev->actual <<
VIRTIO_BALLOON_PFN_SHIFT' is truncated to 32 bits. This overflows when
dev->actual >= 1048576.

To reproduce:

 1. Start a VM with a QMP socket and 5G of RAM
 2. Connect to the QMP socket, negotiate capabilities and issue:

   { "execute":"balloon", "arguments": { "value": 1073741824 } }

 3. Watch for BALLOON_CHANGE QMP events, the last one will incorretly be:

   { "timestamp": { "seconds": 1366228965, "microseconds": 245466 },
     "event": "BALLOON_CHANGE", "data": { "actual": 5368709120 } }

To fix it this commit casts it to ram_addr_t, which is ram_size's type.

Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
---
 hw/virtio/virtio-balloon.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
index c2c446e..76e32ce 100644
--- a/hw/virtio/virtio-balloon.c
+++ b/hw/virtio/virtio-balloon.c
@@ -275,7 +275,7 @@ static void virtio_balloon_set_config(VirtIODevice *vdev,
     dev->actual = le32_to_cpu(config.actual);
     if (dev->actual != oldactual) {
         qemu_balloon_changed(ram_size -
-                             (dev->actual << VIRTIO_BALLOON_PFN_SHIFT));
+                       ((ram_addr_t) dev->actual << VIRTIO_BALLOON_PFN_SHIFT));
     }
 }
 
-- 
1.8.1.4