From e2c81d16b90b90b95b119aa44f88f1340220ed87 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 03 2016 05:45:27 +0000 Subject: import spice-0.12.4-19.el7 --- diff --git a/SOURCES/0001-red_channel-prevent-adding-and-pushing-pipe-items-af.patch b/SOURCES/0001-red_channel-prevent-adding-and-pushing-pipe-items-af.patch index 0c6baf8..a324677 100644 --- a/SOURCES/0001-red_channel-prevent-adding-and-pushing-pipe-items-af.patch +++ b/SOURCES/0001-red_channel-prevent-adding-and-pushing-pipe-items-af.patch @@ -1,4 +1,4 @@ -From a8c04050adea390fa183a117a8c092fb2ca70620 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Yonit Halperin Date: Wed, 24 Jul 2013 14:54:23 -0400 Subject: [PATCH] red_channel: prevent adding and pushing pipe items after a diff --git a/SOURCES/0002-red_channel-add-ref-count-to-RedClient.patch b/SOURCES/0002-red_channel-add-ref-count-to-RedClient.patch index 2756a14..9cf3d1f 100644 --- a/SOURCES/0002-red_channel-add-ref-count-to-RedClient.patch +++ b/SOURCES/0002-red_channel-add-ref-count-to-RedClient.patch @@ -1,4 +1,4 @@ -From d30642a50a407974e809a62a771d5e0c107dc297 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Yonit Halperin Date: Fri, 26 Jul 2013 13:45:16 -0400 Subject: [PATCH] red_channel: add ref count to RedClient diff --git a/SOURCES/0003-main_dispatcher-add-ref-count-protection-to-RedClien.patch b/SOURCES/0003-main_dispatcher-add-ref-count-protection-to-RedClien.patch index dc216e2..67b05c2 100644 --- a/SOURCES/0003-main_dispatcher-add-ref-count-protection-to-RedClien.patch +++ b/SOURCES/0003-main_dispatcher-add-ref-count-protection-to-RedClien.patch @@ -1,4 +1,4 @@ -From 72cefedc68dcd78d4b4220d850844bb9c0ee46ce Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Yonit Halperin Date: Fri, 26 Jul 2013 13:49:24 -0400 Subject: [PATCH] main_dispatcher: add ref count protection to RedClient diff --git a/SOURCES/0004-decouple-disconnection-of-the-main-channel-from-clie.patch b/SOURCES/0004-decouple-disconnection-of-the-main-channel-from-clie.patch index 3a59749..eb015b9 100644 --- a/SOURCES/0004-decouple-disconnection-of-the-main-channel-from-clie.patch +++ b/SOURCES/0004-decouple-disconnection-of-the-main-channel-from-clie.patch @@ -1,4 +1,4 @@ -From 977a70e88992bfe56a03294d76b8478bf7dd7020 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Yonit Halperin Date: Thu, 25 Jul 2013 14:19:21 -0400 Subject: [PATCH] decouple disconnection of the main channel from client diff --git a/SOURCES/0005-reds-s-red_client_disconnect-red_channel_client_shut.patch b/SOURCES/0005-reds-s-red_client_disconnect-red_channel_client_shut.patch index 16652cd..e9851ed 100644 --- a/SOURCES/0005-reds-s-red_client_disconnect-red_channel_client_shut.patch +++ b/SOURCES/0005-reds-s-red_client_disconnect-red_channel_client_shut.patch @@ -1,4 +1,4 @@ -From 5dff0a2af2f5ecb697ea512d402df21fa5ba2540 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Yonit Halperin Date: Thu, 25 Jul 2013 14:25:24 -0400 Subject: [PATCH] reds: s/red_client_disconnect/red_channel_client_shutdown diff --git a/SOURCES/0006-snd_worker-fix-memory-leak-of-PlaybackChannel.patch b/SOURCES/0006-snd_worker-fix-memory-leak-of-PlaybackChannel.patch index 14f2b51..da9d6f1 100644 --- a/SOURCES/0006-snd_worker-fix-memory-leak-of-PlaybackChannel.patch +++ b/SOURCES/0006-snd_worker-fix-memory-leak-of-PlaybackChannel.patch @@ -1,4 +1,4 @@ -From 1021382d0d16d6e7944941f5b091639678ea1cad Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Yonit Halperin Date: Thu, 25 Jul 2013 14:49:33 -0400 Subject: [PATCH] snd_worker: fix memory leak of PlaybackChannel diff --git a/SOURCES/0007-snd_worker-snd_disconnect_channel-don-t-call-snd_cha.patch b/SOURCES/0007-snd_worker-snd_disconnect_channel-don-t-call-snd_cha.patch index c411ed6..5243444 100644 --- a/SOURCES/0007-snd_worker-snd_disconnect_channel-don-t-call-snd_cha.patch +++ b/SOURCES/0007-snd_worker-snd_disconnect_channel-don-t-call-snd_cha.patch @@ -1,4 +1,4 @@ -From 0e568836a130a51ded1b905745e9079f44e801a5 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Yonit Halperin Date: Thu, 25 Jul 2013 15:07:43 -0400 Subject: [PATCH] snd_worker/snd_disconnect_channel: don't call snd_channel_put diff --git a/SOURCES/0008-log-improve-debug-information-related-to-client-disc.patch b/SOURCES/0008-log-improve-debug-information-related-to-client-disc.patch index ba03db9..900ffdf 100644 --- a/SOURCES/0008-log-improve-debug-information-related-to-client-disc.patch +++ b/SOURCES/0008-log-improve-debug-information-related-to-client-disc.patch @@ -1,4 +1,4 @@ -From 7e0c5e8da1526180086e2341780896613ef9d957 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Yonit Halperin Date: Fri, 26 Jul 2013 12:15:00 -0400 Subject: [PATCH] log: improve debug information related to client diff --git a/SOURCES/0009-red_worker-decrease-the-timeout-when-flushing-comman.patch b/SOURCES/0009-red_worker-decrease-the-timeout-when-flushing-comman.patch index 34748a9..fb53c25 100644 --- a/SOURCES/0009-red_worker-decrease-the-timeout-when-flushing-comman.patch +++ b/SOURCES/0009-red_worker-decrease-the-timeout-when-flushing-comman.patch @@ -1,4 +1,4 @@ -From acf8d75bb7226c8ed8f5d3e7c7c93fae35c7192e Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Yonit Halperin Date: Mon, 5 Aug 2013 12:10:15 -0400 Subject: [PATCH] red_worker: decrease the timeout when flushing commands and diff --git a/SOURCES/0010-Fix-buffer-overflow-when-decrypting-client-SPICE-tic.patch b/SOURCES/0010-Fix-buffer-overflow-when-decrypting-client-SPICE-tic.patch index 4e6b520..6cc2375 100644 --- a/SOURCES/0010-Fix-buffer-overflow-when-decrypting-client-SPICE-tic.patch +++ b/SOURCES/0010-Fix-buffer-overflow-when-decrypting-client-SPICE-tic.patch @@ -1,4 +1,4 @@ -From fb263d33f99b5d8c8f370df48a04c926eac5781e Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Christophe Fergeau Date: Fri, 23 Aug 2013 11:29:44 +0200 Subject: [PATCH] Fix buffer overflow when decrypting client SPICE ticket diff --git a/SOURCES/0011-server-move-three-functions-to-red_channel.patch b/SOURCES/0011-server-move-three-functions-to-red_channel.patch index 5eb019e..c541150 100644 --- a/SOURCES/0011-server-move-three-functions-to-red_channel.patch +++ b/SOURCES/0011-server-move-three-functions-to-red_channel.patch @@ -1,4 +1,4 @@ -From 2549affd7164634609ffe2796616a2195a3118a4 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Alon Levy Date: Mon, 12 Aug 2013 15:01:42 +0300 Subject: [PATCH] server: move three functions to red_channel diff --git a/SOURCES/0012-server-s-red_wait_all_sent-red_channel_wait_all_sent.patch b/SOURCES/0012-server-s-red_wait_all_sent-red_channel_wait_all_sent.patch index 2c75a14..1a44cf0 100644 --- a/SOURCES/0012-server-s-red_wait_all_sent-red_channel_wait_all_sent.patch +++ b/SOURCES/0012-server-s-red_wait_all_sent-red_channel_wait_all_sent.patch @@ -1,4 +1,4 @@ -From 9d9042d8530e975ef2dbc67da153b4d91e1099c7 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Alon Levy Date: Mon, 12 Aug 2013 19:48:24 +0300 Subject: [PATCH] server: s/red_wait_all_sent/red_channel_wait_all_sent/ diff --git a/SOURCES/0013-red_worker-cleanup-red_clear_surface_drawables_from_.patch b/SOURCES/0013-red_worker-cleanup-red_clear_surface_drawables_from_.patch index 973899c..b0c8bcc 100644 --- a/SOURCES/0013-red_worker-cleanup-red_clear_surface_drawables_from_.patch +++ b/SOURCES/0013-red_worker-cleanup-red_clear_surface_drawables_from_.patch @@ -1,4 +1,4 @@ -From 8d90b811ea77f80db914ffd153ee1d8954bf1cbb Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Yonit Halperin Date: Wed, 11 Sep 2013 13:39:35 -0400 Subject: [PATCH] red_worker: cleanup red_clear_surface_drawables_from_pipes diff --git a/SOURCES/0014-red_channel-cleanup-of-red_channel_client-blocking-m.patch b/SOURCES/0014-red_channel-cleanup-of-red_channel_client-blocking-m.patch index bad6c4b..d70f4a6 100644 --- a/SOURCES/0014-red_channel-cleanup-of-red_channel_client-blocking-m.patch +++ b/SOURCES/0014-red_channel-cleanup-of-red_channel_client-blocking-m.patch @@ -1,4 +1,4 @@ -From 3af85a04dc7639102f15bbc819b15489178aefbb Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Yonit Halperin Date: Wed, 11 Sep 2013 13:31:21 -0400 Subject: [PATCH] red_channel: cleanup of red_channel_client blocking methods diff --git a/SOURCES/0015-red_worker-disconnect-the-channel-instead-of-shutdow.patch b/SOURCES/0015-red_worker-disconnect-the-channel-instead-of-shutdow.patch index 6fbb575..adadd9e 100644 --- a/SOURCES/0015-red_worker-disconnect-the-channel-instead-of-shutdow.patch +++ b/SOURCES/0015-red_worker-disconnect-the-channel-instead-of-shutdow.patch @@ -1,4 +1,4 @@ -From 7d044aae3ce063d901154a288106aa18703f7832 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Yonit Halperin Date: Wed, 11 Sep 2013 15:02:23 -0400 Subject: [PATCH] red_worker: disconnect the channel instead of shutdown in diff --git a/SOURCES/0016-spice_timer_queue-don-t-call-timers-repeatedly.patch b/SOURCES/0016-spice_timer_queue-don-t-call-timers-repeatedly.patch index 7e47cbd..df997da 100644 --- a/SOURCES/0016-spice_timer_queue-don-t-call-timers-repeatedly.patch +++ b/SOURCES/0016-spice_timer_queue-don-t-call-timers-repeatedly.patch @@ -1,4 +1,4 @@ -From cc477ab18f925465d5ea33664128a2e29b3afcb2 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Yonit Halperin Date: Tue, 13 Aug 2013 15:40:16 -0400 Subject: [PATCH] spice_timer_queue: don't call timers repeatedly diff --git a/SOURCES/0017-red_channel-add-on_input-callback-for-tracing-incomi.patch b/SOURCES/0017-red_channel-add-on_input-callback-for-tracing-incomi.patch index 06b91be..1906655 100644 --- a/SOURCES/0017-red_channel-add-on_input-callback-for-tracing-incomi.patch +++ b/SOURCES/0017-red_channel-add-on_input-callback-for-tracing-incomi.patch @@ -1,4 +1,4 @@ -From af5b26baa47ced2f5e4822b66fb102e82f885e9a Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Yonit Halperin Date: Wed, 14 Aug 2013 09:38:12 -0400 Subject: [PATCH] red_channel: add on_input callback for tracing incoming bytes diff --git a/SOURCES/0018-red_channel-add-option-to-monitor-whether-a-channel-.patch b/SOURCES/0018-red_channel-add-option-to-monitor-whether-a-channel-.patch index 32125a7..77b2c62 100644 --- a/SOURCES/0018-red_channel-add-option-to-monitor-whether-a-channel-.patch +++ b/SOURCES/0018-red_channel-add-option-to-monitor-whether-a-channel-.patch @@ -1,4 +1,4 @@ -From c1a4637e0a6854fd67438bde2dfa7489cbc9e9c4 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Yonit Halperin Date: Wed, 14 Aug 2013 10:10:37 -0400 Subject: [PATCH] red_channel: add option to monitor whether a channel client diff --git a/SOURCES/0019-main_channel-monitoring-client-connection-status.patch b/SOURCES/0019-main_channel-monitoring-client-connection-status.patch index 467e0bb..7f1b99c 100644 --- a/SOURCES/0019-main_channel-monitoring-client-connection-status.patch +++ b/SOURCES/0019-main_channel-monitoring-client-connection-status.patch @@ -1,4 +1,4 @@ -From 3d1c72b6da63f24aeaae45ec7681826520c1d404 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Yonit Halperin Date: Wed, 14 Aug 2013 10:56:44 -0400 Subject: [PATCH] main_channel: monitoring client connection status diff --git a/SOURCES/0020-Fix-crash-when-clearing-surface-memory.patch b/SOURCES/0020-Fix-crash-when-clearing-surface-memory.patch index 20d2102..46e831d 100644 --- a/SOURCES/0020-Fix-crash-when-clearing-surface-memory.patch +++ b/SOURCES/0020-Fix-crash-when-clearing-surface-memory.patch @@ -1,7 +1,7 @@ -From 1898f3949cf75422aa1fedba40c429b28d8d6b67 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Wed, 6 Aug 2014 18:34:56 +0200 -Subject: [PATCH spice] Fix crash when clearing surface memory +Subject: [PATCH] Fix crash when clearing surface memory The beginning of the surface data needs to be computed correctly if the stride is negative, otherwise, it should point already to the beginning @@ -13,10 +13,10 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1029646 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/server/red_worker.c b/server/red_worker.c -index 6bdad93..35a1a04 100644 +index 7a1c2d9..d7962c5 100644 --- a/server/red_worker.c +++ b/server/red_worker.c -@@ -9470,7 +9470,11 @@ static inline void red_create_surface(RedWorker *worker, uint32_t surface_id, ui +@@ -9654,7 +9654,11 @@ static inline void red_create_surface(RedWorker *worker, uint32_t surface_id, ui surface->context.stride = stride; surface->context.line_0 = line_0; if (!data_is_valid) { @@ -29,6 +29,3 @@ index 6bdad93..35a1a04 100644 } surface->create.info = NULL; surface->destroy.info = NULL; --- -1.9.3 - diff --git a/SOURCES/0021-Fix-assert-in-mjpeg_encoder_adjust_params_to_bit_rat.patch b/SOURCES/0021-Fix-assert-in-mjpeg_encoder_adjust_params_to_bit_rat.patch index 3aff4b9..1fc1729 100644 --- a/SOURCES/0021-Fix-assert-in-mjpeg_encoder_adjust_params_to_bit_rat.patch +++ b/SOURCES/0021-Fix-assert-in-mjpeg_encoder_adjust_params_to_bit_rat.patch @@ -1,4 +1,4 @@ -From 44944a574df0b6cbfd01b7ec8c55ce83e4b78156 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Jonathon Jongsma Date: Fri, 30 May 2014 13:45:02 -0500 Subject: [PATCH] Fix assert in mjpeg_encoder_adjust_params_to_bit_rate() diff --git a/SOURCES/0022-reds-lookup-corresponding-channel-id.patch b/SOURCES/0022-reds-lookup-corresponding-channel-id.patch index e2c092d..723acbe 100644 --- a/SOURCES/0022-reds-lookup-corresponding-channel-id.patch +++ b/SOURCES/0022-reds-lookup-corresponding-channel-id.patch @@ -1,4 +1,4 @@ -From 6be22cda720b42feb7760ebddb68e4cee96f259a Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Mon, 18 Nov 2013 11:28:25 +0100 Subject: [PATCH] reds: lookup corresponding channel id diff --git a/SOURCES/0023-dispatcher-lower-a-monitor-config-warning-to-a-debug.patch b/SOURCES/0023-dispatcher-lower-a-monitor-config-warning-to-a-debug.patch index 0de2a85..39f7288 100644 --- a/SOURCES/0023-dispatcher-lower-a-monitor-config-warning-to-a-debug.patch +++ b/SOURCES/0023-dispatcher-lower-a-monitor-config-warning-to-a-debug.patch @@ -1,4 +1,4 @@ -From 88f46c8de8d42c4e364169f59cd9bd64b1954bd4 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Fri, 29 Aug 2014 13:14:08 +0200 Subject: [PATCH] dispatcher: lower a monitor-config warning to a debug level diff --git a/SOURCES/0024-mjpeg-Don-t-warn-on-unsupported-image-formats.patch b/SOURCES/0024-mjpeg-Don-t-warn-on-unsupported-image-formats.patch index 3cb811c..e77bf6e 100644 --- a/SOURCES/0024-mjpeg-Don-t-warn-on-unsupported-image-formats.patch +++ b/SOURCES/0024-mjpeg-Don-t-warn-on-unsupported-image-formats.patch @@ -1,4 +1,4 @@ -From 64b5ae4531fb64595b9f23500ded79c3ce0bde9f Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Christophe Fergeau Date: Wed, 26 Feb 2014 15:40:55 +0100 Subject: [PATCH] mjpeg: Don't warn on unsupported image formats diff --git a/SOURCES/0025-server-Don-t-dump-the-bitmap-when-the-format-is-inva.patch b/SOURCES/0025-server-Don-t-dump-the-bitmap-when-the-format-is-inva.patch index 94206a7..e3ee4f5 100644 --- a/SOURCES/0025-server-Don-t-dump-the-bitmap-when-the-format-is-inva.patch +++ b/SOURCES/0025-server-Don-t-dump-the-bitmap-when-the-format-is-inva.patch @@ -1,4 +1,4 @@ -From 987f7fdd952d8ba481df4d39bc87aaaa8fd77b90 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 1 Sep 2014 00:38:36 +0200 Subject: [PATCH] server: Don't dump the bitmap when the format is invalid diff --git a/SOURCES/0026-Fix-Wunused-parameter.patch b/SOURCES/0026-Fix-Wunused-parameter.patch index baeecea..0cb1219 100644 --- a/SOURCES/0026-Fix-Wunused-parameter.patch +++ b/SOURCES/0026-Fix-Wunused-parameter.patch @@ -1,4 +1,4 @@ -From 19a48c295bb2e0cb546a4cd9ad8582c4ab26c7d4 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 1 Sep 2014 13:24:55 +0200 Subject: [PATCH] Fix -Wunused-parameter diff --git a/SOURCES/0027-Fix-Wunused-value.patch b/SOURCES/0027-Fix-Wunused-value.patch index 0b647ab..5298f6b 100644 --- a/SOURCES/0027-Fix-Wunused-value.patch +++ b/SOURCES/0027-Fix-Wunused-value.patch @@ -1,4 +1,4 @@ -From 267d95198b1672f7aac49b607db99d7727f2094b Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 1 Sep 2014 13:34:42 +0200 Subject: [PATCH] Fix -Wunused-value diff --git a/SOURCES/0028-Fix-Wsign.patch b/SOURCES/0028-Fix-Wsign.patch index 75ec46f..0321ae5 100644 --- a/SOURCES/0028-Fix-Wsign.patch +++ b/SOURCES/0028-Fix-Wsign.patch @@ -1,4 +1,4 @@ -From a40ecb73678a1d35348c19c7ba8a69b987b410e4 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 1 Sep 2014 13:42:48 +0200 Subject: [PATCH] Fix -Wsign diff --git a/SOURCES/0029-Fix-Wswitch.patch b/SOURCES/0029-Fix-Wswitch.patch index 056468d..1923558 100644 --- a/SOURCES/0029-Fix-Wswitch.patch +++ b/SOURCES/0029-Fix-Wswitch.patch @@ -1,4 +1,4 @@ -From 7187bf54171f8f9b80acbb19ff2237e2ffaa997a Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 1 Sep 2014 13:45:49 +0200 Subject: [PATCH] Fix -Wswitch diff --git a/SOURCES/0030-Fix-Wformat.patch b/SOURCES/0030-Fix-Wformat.patch index dcbb19d..fa19f08 100644 --- a/SOURCES/0030-Fix-Wformat.patch +++ b/SOURCES/0030-Fix-Wformat.patch @@ -1,4 +1,4 @@ -From b66767e3d0ac1bab80b7bbca3d75728188bab7b5 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 1 Sep 2014 13:52:16 +0200 Subject: [PATCH] Fix -Wformat diff --git a/SOURCES/0031-Fix-Wnonnull.patch b/SOURCES/0031-Fix-Wnonnull.patch index 9d0acaa..3ed5ae3 100644 --- a/SOURCES/0031-Fix-Wnonnull.patch +++ b/SOURCES/0031-Fix-Wnonnull.patch @@ -1,4 +1,4 @@ -From fa6453dd041eb414d7aec38d2706d68317b94130 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 1 Sep 2014 13:55:56 +0200 Subject: [PATCH] Fix -Wnonnull diff --git a/SOURCES/0032-Fix-Wmissing-field-initializers.patch b/SOURCES/0032-Fix-Wmissing-field-initializers.patch index 04f8a9f..d96b117 100644 --- a/SOURCES/0032-Fix-Wmissing-field-initializers.patch +++ b/SOURCES/0032-Fix-Wmissing-field-initializers.patch @@ -1,4 +1,4 @@ -From 51d0a8d322b5c380a01df4776e55fae580dda3af Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 1 Sep 2014 14:19:52 +0200 Subject: [PATCH] Fix -Wmissing-field-initializers diff --git a/SOURCES/0033-Fix-Wunused-function.patch b/SOURCES/0033-Fix-Wunused-function.patch index 4dc134a..38d958f 100644 --- a/SOURCES/0033-Fix-Wunused-function.patch +++ b/SOURCES/0033-Fix-Wunused-function.patch @@ -1,4 +1,4 @@ -From da9c55f936266b1fb5d4ee55d25ccfcb70e14ef3 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 1 Sep 2014 15:06:54 +0200 Subject: [PATCH] Fix -Wunused-function diff --git a/SOURCES/0034-Validate-surface-bounding-box-before-using-it.patch b/SOURCES/0034-Validate-surface-bounding-box-before-using-it.patch index 0a0c061..701d618 100644 --- a/SOURCES/0034-Validate-surface-bounding-box-before-using-it.patch +++ b/SOURCES/0034-Validate-surface-bounding-box-before-using-it.patch @@ -1,4 +1,4 @@ -From 0d7971739587df80c82efaf3cc7932875b5e8c43 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Christophe Fergeau Date: Tue, 9 Sep 2014 18:00:30 +0200 Subject: [PATCH] Validate surface bounding box before using it diff --git a/SOURCES/0035-migration-Don-t-assert-if-MIGRATE_DATA-comes-before-.patch b/SOURCES/0035-migration-Don-t-assert-if-MIGRATE_DATA-comes-before-.patch index fc3b0f9..80167ae 100644 --- a/SOURCES/0035-migration-Don-t-assert-if-MIGRATE_DATA-comes-before-.patch +++ b/SOURCES/0035-migration-Don-t-assert-if-MIGRATE_DATA-comes-before-.patch @@ -1,4 +1,4 @@ -From 3bd625a0c183e6c729b2fcbd934b36de14ce4a2f Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Uri Lublin Date: Wed, 16 Jul 2014 17:02:04 +0300 Subject: [PATCH] migration: Don't assert() if MIGRATE_DATA comes before @@ -151,10 +151,10 @@ index 464552a..06e9a3e 100644 + reds_agent_state_restore(reds->agent_state.mig_data); + free(reds->agent_state.mig_data); + reds->agent_state.mig_data = NULL; - } ++ } + else { + spice_debug("waiting for migration data"); -+ } + } + } else { + /* we will associate the client with the char device, upon reds_on_main_agent_start, + * in response to MSGC_AGENT_START */ diff --git a/SOURCES/0036-server-fix-crash-when-restarting-VM-with-old-client.patch b/SOURCES/0036-server-fix-crash-when-restarting-VM-with-old-client.patch index 589aeea..93a8405 100644 --- a/SOURCES/0036-server-fix-crash-when-restarting-VM-with-old-client.patch +++ b/SOURCES/0036-server-fix-crash-when-restarting-VM-with-old-client.patch @@ -1,4 +1,4 @@ -From beb9b9a776e20a992edde78722356ecbdee9893a Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Thu, 9 Oct 2014 17:23:06 +0200 Subject: [PATCH] server: fix crash when restarting VM with old client diff --git a/SOURCES/0037-Use-TLS-version-1.0-or-better.patch b/SOURCES/0037-Use-TLS-version-1.0-or-better.patch index 7b16924..310feda 100644 --- a/SOURCES/0037-Use-TLS-version-1.0-or-better.patch +++ b/SOURCES/0037-Use-TLS-version-1.0-or-better.patch @@ -1,7 +1,7 @@ -From 4fc9ba5f27dd4c04441d38c893ee962da01baf80 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Ja=C5=A1a?= Date: Wed, 27 Nov 2013 17:45:49 +0100 -Subject: [PATCH spice] Use TLS version 1.0 or better +Subject: [PATCH] Use TLS version 1.0 or better When creating a TLS socket, both spice-server and spice-gtk currently call SSL_CTX_new(TLSv1_method()). The TLSv1_method() function set the @@ -18,10 +18,10 @@ it. 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/server/reds.c b/server/reds.c -index 2a0002b..d79732c 100644 +index 06e9a3e..ccba67c 100644 --- a/server/reds.c +++ b/server/reds.c -@@ -3221,6 +3221,8 @@ static int reds_init_ssl(void) +@@ -3232,6 +3232,8 @@ static int reds_init_ssl(void) SSL_METHOD *ssl_method; #endif int return_code; @@ -30,7 +30,7 @@ index 2a0002b..d79732c 100644 long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; /* Global system initialization*/ -@@ -3228,7 +3230,8 @@ static int reds_init_ssl(void) +@@ -3239,7 +3241,8 @@ static int reds_init_ssl(void) SSL_load_error_strings(); /* Create our context*/ @@ -40,6 +40,3 @@ index 2a0002b..d79732c 100644 reds->ctx = SSL_CTX_new(ssl_method); if (!reds->ctx) { spice_warning("Could not allocate new SSL context"); --- -2.1.0 - diff --git a/SOURCES/0038-Add-const-to-test_capability-first-argument.patch b/SOURCES/0038-Add-const-to-test_capability-first-argument.patch index 7fd9526..e7f2de9 100644 --- a/SOURCES/0038-Add-const-to-test_capability-first-argument.patch +++ b/SOURCES/0038-Add-const-to-test_capability-first-argument.patch @@ -1,7 +1,7 @@ -From 17fd07ff2fd287fff6cc866a308097e75cb968f5 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Christophe Fergeau Date: Wed, 19 Mar 2014 18:17:32 +0100 -Subject: [PATCH 1/3] Add const to test_capability first argument +Subject: [PATCH] Add const to test_capability first argument We don't modify the capabilities content, so it can be marked as const. --- @@ -35,6 +35,3 @@ index 9e54dce..58109d5 100644 typedef struct RedChannelClientLatencyMonitor { int state; --- -2.4.4 - diff --git a/SOURCES/0039-Introduce-red_link_info_test_capability.patch b/SOURCES/0039-Introduce-red_link_info_test_capability.patch index 8b17861..434663d 100644 --- a/SOURCES/0039-Introduce-red_link_info_test_capability.patch +++ b/SOURCES/0039-Introduce-red_link_info_test_capability.patch @@ -1,7 +1,7 @@ -From 0b0ca2c972041b785145c558dfd0e8372869f696 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Christophe Fergeau Date: Wed, 5 Mar 2014 11:59:37 +0100 -Subject: [PATCH 2/3] Introduce red_link_info_test_capability() +Subject: [PATCH] Introduce red_link_info_test_capability() This just hides a bit of pointer arithmetic away from reds_send_link_ack. This helper will be used in the next commits. @@ -10,7 +10,7 @@ This helper will be used in the next commits. 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/server/reds.c b/server/reds.c -index ccba67c..c1edf67 100644 +index ccba67c..9971b7a 100644 --- a/server/reds.c +++ b/server/reds.c @@ -1446,6 +1446,22 @@ static void reds_channel_init_auth_caps(RedLinkInfo *link, RedChannel *channel) @@ -55,6 +55,3 @@ index ccba67c..c1edf67 100644 if (!reds_security_check(link)) { if (link->stream->ssl) { --- -2.4.4 - diff --git a/SOURCES/0040-Don-t-set-SpiceLinkReply-pub_key-if-client-advertise.patch b/SOURCES/0040-Don-t-set-SpiceLinkReply-pub_key-if-client-advertise.patch index 47993b3..9c2c90c 100644 --- a/SOURCES/0040-Don-t-set-SpiceLinkReply-pub_key-if-client-advertise.patch +++ b/SOURCES/0040-Don-t-set-SpiceLinkReply-pub_key-if-client-advertise.patch @@ -1,8 +1,8 @@ -From 3a3ec08f25e2b53e9de256fcb3a4f951c4b1e871 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 9 Jul 2015 01:04:31 +0200 -Subject: [PATCH 3/3] Don't set SpiceLinkReply::pub_key if client advertises - SASL cap +Subject: [PATCH] Don't set SpiceLinkReply::pub_key if client advertises SASL + cap If the client advertises the SASL cap, it means it guarantees it will be able to use SASL if the server supports, and that it does not need a valid @@ -23,7 +23,7 @@ described above, SASL authentication has to be used. 1 file changed, 39 insertions(+), 17 deletions(-) diff --git a/server/reds.c b/server/reds.c -index c1edf67..9521416 100644 +index 9971b7a..f996c71 100644 --- a/server/reds.c +++ b/server/reds.c @@ -1469,7 +1469,7 @@ static int reds_send_link_ack(RedLinkInfo *link) @@ -106,6 +106,3 @@ index c1edf67..9521416 100644 return ret; } --- -2.4.4 - diff --git a/SOURCES/0041-server-don-t-assert-on-invalid-client-message.patch b/SOURCES/0041-server-don-t-assert-on-invalid-client-message.patch index a3750ca..f920c78 100644 --- a/SOURCES/0041-server-don-t-assert-on-invalid-client-message.patch +++ b/SOURCES/0041-server-don-t-assert-on-invalid-client-message.patch @@ -1,4 +1,4 @@ -From cf19a886b8ce41ce7c5159a2898f9587318a32ad Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Wed, 25 Jun 2014 14:36:03 +0200 Subject: [PATCH] server: don't assert on invalid client message @@ -28,6 +28,3 @@ index ebddfcd..c451031 100644 n = reds_stream_read(channel->stream, channel->recive_data.now, n); if (n <= 0) { if (n == 0) { --- -2.4.4 - diff --git a/SOURCES/0042-Don-t-truncate-large-now-values-in-_spice_timer_set.patch b/SOURCES/0042-Don-t-truncate-large-now-values-in-_spice_timer_set.patch index 792da4f..1e34305 100644 --- a/SOURCES/0042-Don-t-truncate-large-now-values-in-_spice_timer_set.patch +++ b/SOURCES/0042-Don-t-truncate-large-now-values-in-_spice_timer_set.patch @@ -1,4 +1,4 @@ -From d6f73e30020e0e2cbe6ee48d5f1bf38e0587ba83 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: David Gibson Date: Mon, 10 Mar 2014 11:55:47 +0100 Subject: [PATCH] Don't truncate large 'now' values in _spice_timer_set @@ -75,6 +75,3 @@ index 8f6e9c8..71de84a 100644 while ((head = ring_get_head(&queue->active_timers))) { SpiceTimer *timer = SPICE_CONTAINEROF(head, SpiceTimer, active_link); --- -2.4.4 - diff --git a/SOURCES/0043-Avoid-race-conditions-reading-monitor-configs-from-g.patch b/SOURCES/0043-Avoid-race-conditions-reading-monitor-configs-from-g.patch index c26de66..14ed533 100644 --- a/SOURCES/0043-Avoid-race-conditions-reading-monitor-configs-from-g.patch +++ b/SOURCES/0043-Avoid-race-conditions-reading-monitor-configs-from-g.patch @@ -1,4 +1,4 @@ -From 4249d114abe6ace0553b6cfd1464e220d1e5acb1 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 9 Jun 2015 08:50:46 +0100 Subject: [PATCH] Avoid race conditions reading monitor configs from guest @@ -115,6 +115,3 @@ index 9e6a6ad..955cac2 100644 red_worker_push_monitors_config(worker); } --- -2.4.4 - diff --git a/SOURCES/0044-Lock-the-pixmap-image-cache-for-the-entire-fill_bits.patch b/SOURCES/0044-Lock-the-pixmap-image-cache-for-the-entire-fill_bits.patch index bcc9e80..2b4c80e 100644 --- a/SOURCES/0044-Lock-the-pixmap-image-cache-for-the-entire-fill_bits.patch +++ b/SOURCES/0044-Lock-the-pixmap-image-cache-for-the-entire-fill_bits.patch @@ -1,4 +1,4 @@ -From 6f7e2fca1030e38f3a82f09b30a4839923f17c66 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Sandy Stutsman Date: Fri, 26 Jun 2015 11:59:13 -0400 Subject: [PATCH] Lock the pixmap image cache for the entire fill_bits call @@ -218,6 +218,3 @@ index 955cac2..93e3398 100644 return 0; } --- -2.4.4 - diff --git a/SOURCES/0045-reds-Assure-we-don-t-have-stale-statistic-files-befo.patch b/SOURCES/0045-reds-Assure-we-don-t-have-stale-statistic-files-befo.patch index 951a92e..35614e0 100644 --- a/SOURCES/0045-reds-Assure-we-don-t-have-stale-statistic-files-befo.patch +++ b/SOURCES/0045-reds-Assure-we-don-t-have-stale-statistic-files-befo.patch @@ -1,4 +1,4 @@ -From 40537f6a3e3389b8377b0ae790c62ea0da8aa6d8 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Wed, 15 Jul 2015 14:15:52 +0100 Subject: [PATCH] reds: Assure we don't have stale statistic files before @@ -21,10 +21,10 @@ Signed-off-by: Frediano Ziglio 1 file changed, 1 insertion(+) diff --git a/server/reds.c b/server/reds.c -index 57ef07a..c74894a 100644 +index f996c71..e96f28d 100644 --- a/server/reds.c +++ b/server/reds.c -@@ -3291,6 +3291,7 @@ static int do_spice_init(SpiceCoreInterface *core_interface) +@@ -4011,6 +4011,7 @@ static int do_spice_init(SpiceCoreInterface *core_interface) shm_name_len = strlen(SPICE_STAT_SHM_NAME) + 20; reds->stat_shm_name = (char *)spice_malloc(shm_name_len); snprintf(reds->stat_shm_name, shm_name_len, SPICE_STAT_SHM_NAME, getpid()); @@ -32,6 +32,3 @@ index 57ef07a..c74894a 100644 if ((fd = shm_open(reds->stat_shm_name, O_CREAT | O_RDWR, 0444)) == -1) { spice_error("statistics shm_open failed, %s", strerror(errno)); } --- -2.1.0 - diff --git a/SOURCES/0046-worker-validate-correctly-surfaces.patch b/SOURCES/0046-worker-validate-correctly-surfaces.patch index f7a89d8..4c83112 100644 --- a/SOURCES/0046-worker-validate-correctly-surfaces.patch +++ b/SOURCES/0046-worker-validate-correctly-surfaces.patch @@ -1,7 +1,7 @@ -From bea51d967731a2be7741fcbeef799b9fd925343a Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Wed, 9 Sep 2015 12:42:09 +0100 -Subject: [PATCH 1/2] worker: validate correctly surfaces +Subject: [PATCH] worker: validate correctly surfaces Do not just give warning and continue to use an invalid index into an array. @@ -131,6 +131,3 @@ index 93e3398..c62dbcb 100644 spice_warn_if(surface_id != 0); spice_debug(NULL); --- -2.4.3 - diff --git a/SOURCES/0047-worker-avoid-double-free-or-double-create-of-surface.patch b/SOURCES/0047-worker-avoid-double-free-or-double-create-of-surface.patch index 2ef2398..5565ad2 100644 --- a/SOURCES/0047-worker-avoid-double-free-or-double-create-of-surface.patch +++ b/SOURCES/0047-worker-avoid-double-free-or-double-create-of-surface.patch @@ -1,7 +1,7 @@ -From 269e9d112639ab6c54645de217c46ef75617d780 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Wed, 9 Sep 2015 12:45:06 +0100 -Subject: [PATCH 2/2] worker: avoid double free or double create of surfaces +Subject: [PATCH] worker: avoid double free or double create of surfaces A driver can overwrite surface state creating a surface with the same id of a previous one. @@ -41,6 +41,3 @@ index c62dbcb..a7eaab9 100644 set_surface_release_info(worker, surface_id, 0, surface->release_info, group_id); red_handle_depends_on_target_surface(worker, surface_id); /* note that red_handle_depends_on_target_surface must be called before red_current_clear. --- -2.4.3 - diff --git a/SOURCES/0048-Define-a-constant-to-limit-data-from-guest.patch b/SOURCES/0048-Define-a-constant-to-limit-data-from-guest.patch index d306102..7ab58f5 100644 --- a/SOURCES/0048-Define-a-constant-to-limit-data-from-guest.patch +++ b/SOURCES/0048-Define-a-constant-to-limit-data-from-guest.patch @@ -1,7 +1,7 @@ -From 2e1cac5508cd04815e0e624cdbc436857934f689 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 8 Sep 2015 11:58:11 +0100 -Subject: [PATCH 48/64] Define a constant to limit data from guest. +Subject: [PATCH] Define a constant to limit data from guest. This limit will prevent guest trying to do nasty things and DoS to host. @@ -37,6 +37,3 @@ index 6c0b065..4449f2c 100644 #if 0 static void hexdump_qxl(RedMemSlotInfo *slots, int group_id, QXLPHYSICAL addr, uint8_t bytes) --- -2.4.3 - diff --git a/SOURCES/0049-Fix-some-integer-overflow-causing-large-memory-alloc.patch b/SOURCES/0049-Fix-some-integer-overflow-causing-large-memory-alloc.patch index 6b24d9e..e03bba2 100644 --- a/SOURCES/0049-Fix-some-integer-overflow-causing-large-memory-alloc.patch +++ b/SOURCES/0049-Fix-some-integer-overflow-causing-large-memory-alloc.patch @@ -1,8 +1,7 @@ -From c0860a1bce777a2b54a31a01d09a71e80657b5ff Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Thu, 17 Sep 2015 15:00:22 +0100 -Subject: [PATCH 49/64] Fix some integer overflow causing large memory - allocations +Subject: [PATCH] Fix some integer overflow causing large memory allocations Prevent integer overflow when computing image sizes. Image index computations are done using 32 bit so this can cause easily @@ -64,6 +63,3 @@ index 4449f2c..ceb2759 100644 red->u.surface_create.data = (uint8_t*)get_virt(slots, qxl->u.surface_create.data, size, group_id, &error); if (error) { --- -2.4.3 - diff --git a/SOURCES/0050-Check-properly-surface-to-be-created.patch b/SOURCES/0050-Check-properly-surface-to-be-created.patch index f40ce03..4e5297b 100644 --- a/SOURCES/0050-Check-properly-surface-to-be-created.patch +++ b/SOURCES/0050-Check-properly-surface-to-be-created.patch @@ -1,7 +1,7 @@ -From b541f856f5c7fd70c1dad688306bcdfadfc2e4b9 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 8 Sep 2015 16:02:59 +0100 -Subject: [PATCH 50/64] Check properly surface to be created +Subject: [PATCH] Check properly surface to be created Check format is valid. Check stride is at least the size of required bytes for a row. @@ -73,6 +73,3 @@ index ceb2759..a7ca71d 100644 return 1; } red->u.surface_create.data = --- -2.4.3 - diff --git a/SOURCES/0051-Fix-buffer-reading-overflow.patch b/SOURCES/0051-Fix-buffer-reading-overflow.patch index db3b272..4a7a9cc 100644 --- a/SOURCES/0051-Fix-buffer-reading-overflow.patch +++ b/SOURCES/0051-Fix-buffer-reading-overflow.patch @@ -1,7 +1,7 @@ -From 214a0c88ecbac0229ddc2d7067a8a3ce9821df5c Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 8 Sep 2015 10:00:37 +0100 -Subject: [PATCH 51/64] Fix buffer reading overflow +Subject: [PATCH] Fix buffer reading overflow Not security risk as just for read. However, this could be used to attempt integer overflows in the @@ -33,6 +33,3 @@ index a7ca71d..01cba0f 100644 if (bitmap->stride < ((bitmap->x * bpp + 7) / 8)) { spice_error("image stride too small for width: %d < ((%d * %d + 7) / 8) (%s=%d)\n", --- -2.4.3 - diff --git a/SOURCES/0052-Prevent-32-bit-integer-overflow-in-bitmap_consistent.patch b/SOURCES/0052-Prevent-32-bit-integer-overflow-in-bitmap_consistent.patch index e075eb4..5a990ad 100644 --- a/SOURCES/0052-Prevent-32-bit-integer-overflow-in-bitmap_consistent.patch +++ b/SOURCES/0052-Prevent-32-bit-integer-overflow-in-bitmap_consistent.patch @@ -1,7 +1,7 @@ -From 0ede6619b828335a10ba94fe2739e01d5162d81c Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 8 Sep 2015 13:09:35 +0100 -Subject: [PATCH 52/64] Prevent 32 bit integer overflow in bitmap_consistent +Subject: [PATCH] Prevent 32 bit integer overflow in bitmap_consistent The overflow may lead to buffer overflow as the row size computed from width (bitmap->x) can be bigger than the size in bytes (bitmap->stride). @@ -43,6 +43,3 @@ index 01cba0f..3385f52 100644 bitmap->stride, bitmap->x, bpp, bitmap_format_to_string(bitmap->format), bitmap->format); --- -2.4.3 - diff --git a/SOURCES/0053-Fix-race-condition-on-red_get_clip_rects.patch b/SOURCES/0053-Fix-race-condition-on-red_get_clip_rects.patch index f358959..83ebfe1 100644 --- a/SOURCES/0053-Fix-race-condition-on-red_get_clip_rects.patch +++ b/SOURCES/0053-Fix-race-condition-on-red_get_clip_rects.patch @@ -1,7 +1,7 @@ -From eede1d8307b48016274077eea4dd9c7a296bf84a Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 8 Sep 2015 10:01:51 +0100 -Subject: [PATCH 53/64] Fix race condition on red_get_clip_rects +Subject: [PATCH] Fix race condition on red_get_clip_rects Do not read multiple time an array size that can be changed. @@ -37,6 +37,3 @@ index 3385f52..affd3a2 100644 start = (QXLRect*)data; for (i = 0; i < red->num_rects; i++) { --- -2.4.3 - diff --git a/SOURCES/0054-Fix-race-in-red_get_image.patch b/SOURCES/0054-Fix-race-in-red_get_image.patch index ac9cc18..fa53795 100644 --- a/SOURCES/0054-Fix-race-in-red_get_image.patch +++ b/SOURCES/0054-Fix-race-in-red_get_image.patch @@ -1,7 +1,7 @@ -From e4112afbe0f55df29068933e471fe348f79d4f04 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 8 Sep 2015 10:04:10 +0100 -Subject: [PATCH 54/64] Fix race in red_get_image +Subject: [PATCH] Fix race in red_get_image Do not read multiple times data from guest as this could be changed by other vcpu threads. @@ -72,6 +72,3 @@ index affd3a2..84ea526 100644 num_ents * sizeof(qp->ents[0]), group_id)) { goto error; } --- -2.4.3 - diff --git a/SOURCES/0055-Fix-race-condition-in-red_get_string.patch b/SOURCES/0055-Fix-race-condition-in-red_get_string.patch index a8a6cb4..5e7a716 100644 --- a/SOURCES/0055-Fix-race-condition-in-red_get_string.patch +++ b/SOURCES/0055-Fix-race-condition-in-red_get_string.patch @@ -1,7 +1,7 @@ -From ee52db855a3b25965d5e363d64831864efe3f4f3 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 8 Sep 2015 10:05:20 +0100 -Subject: [PATCH 55/64] Fix race condition in red_get_string +Subject: [PATCH] Fix race condition in red_get_string Do not read multiple time an array size that can be changed. @@ -57,6 +57,3 @@ index 84ea526..2d4636e 100644 start = (QXLRasterGlyph*)data; end = (QXLRasterGlyph*)(data + chunk_size); --- -2.4.3 - diff --git a/SOURCES/0056-Fix-integer-overflow-computing-glyph_size-in-red_get.patch b/SOURCES/0056-Fix-integer-overflow-computing-glyph_size-in-red_get.patch index 24c253f..34a462f 100644 --- a/SOURCES/0056-Fix-integer-overflow-computing-glyph_size-in-red_get.patch +++ b/SOURCES/0056-Fix-integer-overflow-computing-glyph_size-in-red_get.patch @@ -1,8 +1,7 @@ -From d6307f37304bddf6d76c42a6bdd8475ccab9582d Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 8 Sep 2015 10:13:24 +0100 -Subject: [PATCH 56/64] Fix integer overflow computing glyph_size in - red_get_string +Subject: [PATCH] Fix integer overflow computing glyph_size in red_get_string If bpp is int the formula can lead to weird overflows. width and height are uint16_t so the formula is: @@ -58,6 +57,3 @@ index 2d4636e..c4b82be 100644 spice_assert((QXLRasterGlyph*)(&start->data[glyph_size]) <= end); memcpy(glyph->data, start->data, glyph_size); start = (QXLRasterGlyph*)(&start->data[glyph_size]); --- -2.4.3 - diff --git a/SOURCES/0057-Fix-race-condition-in-red_get_data_chunks_ptr.patch b/SOURCES/0057-Fix-race-condition-in-red_get_data_chunks_ptr.patch index d128555..e17c267 100644 --- a/SOURCES/0057-Fix-race-condition-in-red_get_data_chunks_ptr.patch +++ b/SOURCES/0057-Fix-race-condition-in-red_get_data_chunks_ptr.patch @@ -1,7 +1,7 @@ -From a1ead07b6a0facefafb959542f3088f427c7eb2d Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 8 Sep 2015 12:12:19 +0100 -Subject: [PATCH 57/64] Fix race condition in red_get_data_chunks_ptr +Subject: [PATCH] Fix race condition in red_get_data_chunks_ptr Do not read multiple times data from guest as this can be changed by other guest vcpus. This causes races and security problems if these @@ -61,6 +61,3 @@ index c4b82be..7cc20e6 100644 red->prev_chunk = red_prev; red_prev->next_chunk = red; } --- -2.4.3 - diff --git a/SOURCES/0058-Prevent-memory-leak-if-red_get_data_chunks_ptr-fails.patch b/SOURCES/0058-Prevent-memory-leak-if-red_get_data_chunks_ptr-fails.patch index f28db57..34a3f83 100644 --- a/SOURCES/0058-Prevent-memory-leak-if-red_get_data_chunks_ptr-fails.patch +++ b/SOURCES/0058-Prevent-memory-leak-if-red_get_data_chunks_ptr-fails.patch @@ -1,7 +1,7 @@ -From 098e6e9e479a1188c5b5050ac8a0d4f495ec4842 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 8 Sep 2015 12:14:55 +0100 -Subject: [PATCH 58/64] Prevent memory leak if red_get_data_chunks_ptr fails +Subject: [PATCH] Prevent memory leak if red_get_data_chunks_ptr fails Free linked list if client tries to do nasty things @@ -70,6 +70,3 @@ index 7cc20e6..fe3ae78 100644 } static size_t red_get_data_chunks(RedMemSlotInfo *slots, int group_id, --- -2.4.3 - diff --git a/SOURCES/0059-Prevent-DoS-from-guest-trying-to-allocate-too-much-d.patch b/SOURCES/0059-Prevent-DoS-from-guest-trying-to-allocate-too-much-d.patch index 2f11b59..88d955a 100644 --- a/SOURCES/0059-Prevent-DoS-from-guest-trying-to-allocate-too-much-d.patch +++ b/SOURCES/0059-Prevent-DoS-from-guest-trying-to-allocate-too-much-d.patch @@ -1,8 +1,8 @@ -From f89da55f4c4fcc09f201562854f3768911fdab07 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 8 Sep 2015 12:28:54 +0100 -Subject: [PATCH 59/64] Prevent DoS from guest trying to allocate too much data - on host for chunks +Subject: [PATCH] Prevent DoS from guest trying to allocate too much data on + host for chunks Limit number of chunks to a given amount to avoid guest trying to allocate too much memory. Using circular or nested chunks lists @@ -97,6 +97,3 @@ index fe3ae78..f183248 100644 if (!validate_virt(slots, (intptr_t)red->data, memslot_id, red->data_size, group_id)) goto error; } --- -2.4.3 - diff --git a/SOURCES/0060-Fix-some-possible-overflows-in-red_get_string-for-32.patch b/SOURCES/0060-Fix-some-possible-overflows-in-red_get_string-for-32.patch index b94f03f..ca0dff1 100644 --- a/SOURCES/0060-Fix-some-possible-overflows-in-red_get_string-for-32.patch +++ b/SOURCES/0060-Fix-some-possible-overflows-in-red_get_string-for-32.patch @@ -1,8 +1,7 @@ -From b61b33beae8b7560d05fe0d8349446bc16d08c62 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 8 Sep 2015 13:06:03 +0100 -Subject: [PATCH 60/64] Fix some possible overflows in red_get_string for 32 - bit +Subject: [PATCH] Fix some possible overflows in red_get_string for 32 bit Signed-off-by: Frediano Ziglio Acked-by: Christophe Fergeau @@ -36,6 +35,3 @@ index f183248..668ce10 100644 memcpy(glyph->data, start->data, glyph_size); start = (QXLRasterGlyph*)(&start->data[glyph_size]); glyph = (SpiceRasterGlyph*) --- -2.4.3 - diff --git a/SOURCES/0061-Make-sure-we-can-read-QXLPathSeg-structures.patch b/SOURCES/0061-Make-sure-we-can-read-QXLPathSeg-structures.patch index ad6bc16..dd68ace 100644 --- a/SOURCES/0061-Make-sure-we-can-read-QXLPathSeg-structures.patch +++ b/SOURCES/0061-Make-sure-we-can-read-QXLPathSeg-structures.patch @@ -1,7 +1,7 @@ -From 13dadd08709caa8e736cbbc886f5f8ba7bad7785 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 15 Sep 2015 16:25:17 +0100 -Subject: [PATCH 61/64] Make sure we can read QXLPathSeg structures +Subject: [PATCH] Make sure we can read QXLPathSeg structures start pointer points to a QXLPathSeg structure. Before reading from the structure, make sure the structure is contained @@ -35,6 +35,3 @@ index 668ce10..4663bfd 100644 red->segments[n_segments++] = seg; count = start->count; --- -2.4.3 - diff --git a/SOURCES/0062-Avoid-race-condition-copying-segments-in-red_get_pat.patch b/SOURCES/0062-Avoid-race-condition-copying-segments-in-red_get_pat.patch index 25da97b..c6f4253 100644 --- a/SOURCES/0062-Avoid-race-condition-copying-segments-in-red_get_pat.patch +++ b/SOURCES/0062-Avoid-race-condition-copying-segments-in-red_get_pat.patch @@ -1,7 +1,7 @@ -From a2510f4df1c01a48515504c25cd9f0d9d1e839d0 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 15 Sep 2015 16:38:23 +0100 -Subject: [PATCH 62/64] Avoid race condition copying segments in red_get_path +Subject: [PATCH] Avoid race condition copying segments in red_get_path The guest can attempt to increase the number of segments while spice-server is reading them. @@ -26,6 +26,3 @@ index 4663bfd..c1df8e8 100644 red->segments[n_segments++] = seg; count = start->count; --- -2.4.3 - diff --git a/SOURCES/0063-Prevent-data_size-to-be-set-independently-from-data.patch b/SOURCES/0063-Prevent-data_size-to-be-set-independently-from-data.patch index 1ccbb11..4cbe23b 100644 --- a/SOURCES/0063-Prevent-data_size-to-be-set-independently-from-data.patch +++ b/SOURCES/0063-Prevent-data_size-to-be-set-independently-from-data.patch @@ -1,7 +1,7 @@ -From acda240cbeb8a15aafd73b55a22fd3dfa7f03df1 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Thu, 17 Sep 2015 14:28:36 +0100 -Subject: [PATCH 63/64] Prevent data_size to be set independently from data +Subject: [PATCH] Prevent data_size to be set independently from data There was not check for data_size field so one could set data to a small set of data and data_size much bigger than size of data @@ -24,6 +24,3 @@ index c1df8e8..8e3dd55 100644 data = red_linearize_chunk(&chunks, size, &free_data); red_put_data_chunks(&chunks); if (free_data) { --- -2.4.3 - diff --git a/SOURCES/0064-Prevent-leak-if-size-from-red_get_data_chunks-don-t-.patch b/SOURCES/0064-Prevent-leak-if-size-from-red_get_data_chunks-don-t-.patch index 7b1a381..a0bbb61 100644 --- a/SOURCES/0064-Prevent-leak-if-size-from-red_get_data_chunks-don-t-.patch +++ b/SOURCES/0064-Prevent-leak-if-size-from-red_get_data_chunks-don-t-.patch @@ -1,8 +1,8 @@ -From ffa092aa729613de9fe9f7f59beea4338b324f5c Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Thu, 17 Sep 2015 15:01:05 +0100 -Subject: [PATCH 64/64] Prevent leak if size from red_get_data_chunks don't - match in red_get_image +Subject: [PATCH] Prevent leak if size from red_get_data_chunks don't match in + red_get_image Signed-off-by: Frediano Ziglio --- @@ -29,6 +29,3 @@ index 8e3dd55..bd0c408 100644 goto error; } red->u.quic.data = red_get_image_data_chunked(slots, group_id, --- -2.4.3 - diff --git a/SOURCES/0069-red-channel-make-red_client_-ref-unref-thread-safe.patch b/SOURCES/0069-red-channel-make-red_client_-ref-unref-thread-safe.patch deleted file mode 100644 index a429d17..0000000 --- a/SOURCES/0069-red-channel-make-red_client_-ref-unref-thread-safe.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio -Date: Tue, 12 Apr 2016 16:28:07 +0100 -Subject: [PATCH] red-channel: make red_client_{ref,unref} thread safe - -These function are called on both sides of dispatcher so the -increment/decrement of the counter is done in multiple threads. -This caused the counter to not get incremented correctly and -freed the structure too early, leaving a dangling pointer in -the other thread. - -This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1253375. - -Signed-off-by: Frediano Ziglio -Acked-by: Christophe Fergeau -Acked-by: Jonathon Jongsma ---- - server/red_channel.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/server/red_channel.c b/server/red_channel.c -index 449e628..82e7137 100644 ---- a/server/red_channel.c -+++ b/server/red_channel.c -@@ -2060,13 +2060,13 @@ RedClient *red_client_new(int migrated) - RedClient *red_client_ref(RedClient *client) - { - spice_assert(client); -- client->refs++; -+ g_atomic_int_inc(&client->refs); - return client; - } - - RedClient *red_client_unref(RedClient *client) - { -- if (!--client->refs) { -+ if (g_atomic_int_dec_and_test(&client->refs)) { - spice_debug("release client=%p", client); - pthread_mutex_destroy(&client->lock); - free(client); diff --git a/SOURCES/0069-reds-Do-not-abort-due-to-wrong-header.patch b/SOURCES/0069-reds-Do-not-abort-due-to-wrong-header.patch new file mode 100644 index 0000000..a420d2f --- /dev/null +++ b/SOURCES/0069-reds-Do-not-abort-due-to-wrong-header.patch @@ -0,0 +1,46 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Pavel Grunt +Date: Fri, 13 Nov 2015 09:14:29 +0100 +Subject: [PATCH] reds: Do not abort due to wrong header +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Just prevent the buggy client from connecting. + + #0 0x00007fffe83b2a98 in raise () at /lib64/libc.so.6 + #1 0x00007fffe83b469a in abort () at /lib64/libc.so.6 + #2 0x00007ffff7b1533d in spice_logv (log_domain=0x7ffff7b87226 "Spice", log_level=SPICE_LOG_LEVEL_ERROR, strloc=0x7ffff7b92aba "reds.c:1373", function=0x7ffff7b94f40 <__FUNCTION__.31775> "reds_send_link_ack", format=0x7ffff7b871fe "assertion `%s' failed", args=args@entry=0x7fffffffcb68) at log.c:109 + #3 0x00007ffff7b15468 in spice_log (log_domain=log_domain@entry=0x7ffff7b87226 "Spice", log_level=log_level@entry=SPICE_LOG_LEVEL_ERROR, strloc=strloc@entry=0x7ffff7b92aba "reds.c:1373", function=function@entry=0x7ffff7b94f40 <__FUNCTION__.31775> "reds_send_link_ack", format=format@entry=0x7ffff7b871fe "assertion `%s' failed") at log.c:123 + #4 0x00007ffff7aee335 in reds_handle_read_link_done (link=0x555556b27c70) + at reds.c:1373 + #5 0x00007ffff7aee335 in reds_handle_read_link_done (opaque=0x555556b27c70) + at reds.c:2139 + #6 0x000055555588acc6 in qemu_iohandler_poll () + #7 0x000055555588a8e1 in main_loop_wait () + #8 0x0000555555614064 in main () + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1281442 + +Acked-by: Fabiano FidĂȘncio +Acked-by: Frediano Ziglio +--- + server/reds.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/server/reds.c b/server/reds.c +index e96f28d..b45c44f 100644 +--- a/server/reds.c ++++ b/server/reds.c +@@ -1482,7 +1482,10 @@ static int reds_send_link_ack(RedLinkInfo *link) + channel = reds_find_channel(link->link_mess->channel_type, + link->link_mess->channel_id); + if (!channel) { +- spice_assert(link->link_mess->channel_type == SPICE_CHANNEL_MAIN); ++ if (link->link_mess->channel_type != SPICE_CHANNEL_MAIN) { ++ spice_warning("Received wrong header: channel_type != SPICE_CHANNEL_MAIN"); ++ return FALSE; ++ } + spice_assert(reds->main_channel); + channel = &reds->main_channel->base; + } diff --git a/SOURCES/0070-memslot-do-not-crash-if-guest-provide-a-wrong-addres.patch b/SOURCES/0070-memslot-do-not-crash-if-guest-provide-a-wrong-addres.patch new file mode 100644 index 0000000..29787ce --- /dev/null +++ b/SOURCES/0070-memslot-do-not-crash-if-guest-provide-a-wrong-addres.patch @@ -0,0 +1,28 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Wed, 17 Feb 2016 21:22:22 +0000 +Subject: [PATCH] memslot: do not crash if guest provide a wrong address + +This could happen with buggy driver. + +This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1264356 + +Signed-off-by: Frediano Ziglio +Acked-by: Pavel Grunt +--- + server/red_memslots.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/server/red_memslots.c b/server/red_memslots.c +index d9153d3..3b8443e 100644 +--- a/server/red_memslots.c ++++ b/server/red_memslots.c +@@ -87,7 +87,7 @@ int validate_virt(RedMemSlotInfo *info, unsigned long virt, int slot_id, + + if (virt < slot->virt_start_addr || (virt + add_size) > slot->virt_end_addr) { + print_memslots(info); +- spice_critical("virtual address out of range\n" ++ spice_warning("virtual address out of range\n" + " virt=0x%lx+0x%x slot_id=%d group_id=%d\n" + " slot=0x%lx-0x%lx delta=0x%lx", + virt, add_size, slot_id, group_id, diff --git a/SOURCES/0071-red-channel-make-red_client_-ref-unref-thread-safe.patch b/SOURCES/0071-red-channel-make-red_client_-ref-unref-thread-safe.patch new file mode 100644 index 0000000..a429d17 --- /dev/null +++ b/SOURCES/0071-red-channel-make-red_client_-ref-unref-thread-safe.patch @@ -0,0 +1,40 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Tue, 12 Apr 2016 16:28:07 +0100 +Subject: [PATCH] red-channel: make red_client_{ref,unref} thread safe + +These function are called on both sides of dispatcher so the +increment/decrement of the counter is done in multiple threads. +This caused the counter to not get incremented correctly and +freed the structure too early, leaving a dangling pointer in +the other thread. + +This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1253375. + +Signed-off-by: Frediano Ziglio +Acked-by: Christophe Fergeau +Acked-by: Jonathon Jongsma +--- + server/red_channel.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/server/red_channel.c b/server/red_channel.c +index 449e628..82e7137 100644 +--- a/server/red_channel.c ++++ b/server/red_channel.c +@@ -2060,13 +2060,13 @@ RedClient *red_client_new(int migrated) + RedClient *red_client_ref(RedClient *client) + { + spice_assert(client); +- client->refs++; ++ g_atomic_int_inc(&client->refs); + return client; + } + + RedClient *red_client_unref(RedClient *client) + { +- if (!--client->refs) { ++ if (g_atomic_int_dec_and_test(&client->refs)) { + spice_debug("release client=%p", client); + pthread_mutex_destroy(&client->lock); + free(client); diff --git a/SOURCES/0072-chardev-remove-write-polling.patch b/SOURCES/0072-chardev-remove-write-polling.patch new file mode 100644 index 0000000..4ad544b --- /dev/null +++ b/SOURCES/0072-chardev-remove-write-polling.patch @@ -0,0 +1,145 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 24 Oct 2014 10:51:05 +0200 +Subject: [PATCH] chardev: remove write polling + +In an effort to reduce the wakeups per second, get rid of the +"write_to_dev" timer when the implementation supports +SPICE_CHAR_DEVICE_NOTIFY_WRITABLE. + +When this flag is set, the frontend instance is responsible for calling +spice_char_device_wakeup() when the device is ready to perform IO. + +Related to: +https://bugzilla.redhat.com/show_bug.cgi?id=912763 +--- + server/char_device.c | 36 +++++++++++++++++++++++++++--------- + server/spice.h | 7 ++++++- + 2 files changed, 33 insertions(+), 10 deletions(-) + +diff --git a/server/char_device.c b/server/char_device.c +index 6d2339e..c6dc45b 100644 +--- a/server/char_device.c ++++ b/server/char_device.c +@@ -438,7 +438,10 @@ static int spice_char_device_write_to_device(SpiceCharDeviceState *dev) + } + + spice_char_device_state_ref(dev); +- core->timer_cancel(dev->write_to_dev_timer); ++ ++ if (dev->write_to_dev_timer) { ++ core->timer_cancel(dev->write_to_dev_timer); ++ } + + sif = SPICE_CONTAINEROF(dev->sin->base.sif, SpiceCharDeviceInterface, base); + while (dev->running) { +@@ -473,8 +476,10 @@ static int spice_char_device_write_to_device(SpiceCharDeviceState *dev) + /* retry writing as long as the write queue is not empty */ + if (dev->running) { + if (dev->cur_write_buf) { +- core->timer_start(dev->write_to_dev_timer, +- CHAR_DEVICE_WRITE_TO_TIMEOUT); ++ if (dev->write_to_dev_timer) { ++ core->timer_start(dev->write_to_dev_timer, ++ CHAR_DEVICE_WRITE_TO_TIMEOUT); ++ } + } else { + spice_assert(ring_is_empty(&dev->write_queue)); + } +@@ -488,7 +493,9 @@ static void spice_char_dev_write_retry(void *opaque) + { + SpiceCharDeviceState *dev = opaque; + +- core->timer_cancel(dev->write_to_dev_timer); ++ if (dev->write_to_dev_timer) { ++ core->timer_cancel(dev->write_to_dev_timer); ++ } + spice_char_device_write_to_device(dev); + } + +@@ -635,6 +642,7 @@ SpiceCharDeviceState *spice_char_device_state_create(SpiceCharDeviceInstance *si + void *opaque) + { + SpiceCharDeviceState *char_dev; ++ SpiceCharDeviceInterface *sif; + + spice_assert(sin); + spice_assert(cbs->read_one_msg_from_device && cbs->ref_msg_to_client && +@@ -652,10 +660,15 @@ SpiceCharDeviceState *spice_char_device_state_create(SpiceCharDeviceInstance *si + ring_init(&char_dev->write_bufs_pool); + ring_init(&char_dev->clients); + +- char_dev->write_to_dev_timer = core->timer_add(spice_char_dev_write_retry, char_dev); +- if (!char_dev->write_to_dev_timer) { +- spice_error("failed creating char dev write timer"); ++ sif = SPICE_CONTAINEROF(char_dev->sin->base.sif, SpiceCharDeviceInterface, base); ++ if (sif->base.minor_version <= 2 || ++ !(sif->flags & SPICE_CHAR_DEVICE_NOTIFY_WRITABLE)) { ++ char_dev->write_to_dev_timer = core->timer_add(spice_char_dev_write_retry, char_dev); ++ if (!char_dev->write_to_dev_timer) { ++ spice_error("failed creating char dev write timer"); ++ } + } ++ + char_dev->refs = 1; + sin->st = char_dev; + spice_debug("sin %p dev_state %p", sin, char_dev); +@@ -697,7 +710,9 @@ static void spice_char_device_state_unref(SpiceCharDeviceState *char_dev) + void spice_char_device_state_destroy(SpiceCharDeviceState *char_dev) + { + reds_on_char_device_state_destroy(char_dev); +- core->timer_remove(char_dev->write_to_dev_timer); ++ if (char_dev->write_to_dev_timer) { ++ core->timer_remove(char_dev->write_to_dev_timer); ++ } + write_buffers_queue_free(&char_dev->write_queue); + write_buffers_queue_free(&char_dev->write_bufs_pool); + if (char_dev->cur_write_buf) { +@@ -805,7 +820,9 @@ void spice_char_device_stop(SpiceCharDeviceState *dev) + spice_debug("dev_state %p", dev); + dev->running = FALSE; + dev->active = FALSE; +- core->timer_cancel(dev->write_to_dev_timer); ++ if (dev->write_to_dev_timer) { ++ core->timer_cancel(dev->write_to_dev_timer); ++ } + } + + void spice_char_device_reset(SpiceCharDeviceState *dev) +@@ -842,6 +859,7 @@ void spice_char_device_reset(SpiceCharDeviceState *dev) + + void spice_char_device_wakeup(SpiceCharDeviceState *dev) + { ++ spice_char_device_write_to_device(dev); + spice_char_device_read_from_device(dev); + } + +diff --git a/server/spice.h b/server/spice.h +index 6fbb7b2..7b5e04e 100644 +--- a/server/spice.h ++++ b/server/spice.h +@@ -390,11 +390,15 @@ void spice_server_record_set_mute(SpiceRecordInstance *sin, uint8_t mute); + + #define SPICE_INTERFACE_CHAR_DEVICE "char_device" + #define SPICE_INTERFACE_CHAR_DEVICE_MAJOR 1 +-#define SPICE_INTERFACE_CHAR_DEVICE_MINOR 2 ++#define SPICE_INTERFACE_CHAR_DEVICE_MINOR 3 + typedef struct SpiceCharDeviceInterface SpiceCharDeviceInterface; + typedef struct SpiceCharDeviceInstance SpiceCharDeviceInstance; + typedef struct SpiceCharDeviceState SpiceCharDeviceState; + ++typedef enum { ++ SPICE_CHAR_DEVICE_NOTIFY_WRITABLE = 1 << 0, ++} spice_char_device_flags; ++ + struct SpiceCharDeviceInterface { + SpiceBaseInterface base; + +@@ -402,6 +406,7 @@ struct SpiceCharDeviceInterface { + int (*write)(SpiceCharDeviceInstance *sin, const uint8_t *buf, int len); + int (*read)(SpiceCharDeviceInstance *sin, uint8_t *buf, int len); + void (*event)(SpiceCharDeviceInstance *sin, uint8_t event); ++ spice_char_device_flags flags; + }; + + struct SpiceCharDeviceInstance { diff --git a/SOURCES/0073-clean-up-remove-unused-function.patch b/SOURCES/0073-clean-up-remove-unused-function.patch new file mode 100644 index 0000000..8b7b2fb --- /dev/null +++ b/SOURCES/0073-clean-up-remove-unused-function.patch @@ -0,0 +1,38 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Mon, 18 Nov 2013 11:28:27 +0100 +Subject: [PATCH] clean-up: remove unused function + +--- + server/reds.c | 5 ----- + server/reds.h | 1 - + 2 files changed, 6 deletions(-) + +diff --git a/server/reds.c b/server/reds.c +index b45c44f..53f21bd 100644 +--- a/server/reds.c ++++ b/server/reds.c +@@ -3572,11 +3572,6 @@ uint32_t reds_get_mm_time(void) + return time_space.tv_sec * 1000 + time_space.tv_nsec / 1000 / 1000; + } + +-void reds_update_mm_timer(uint32_t mm_time) +-{ +- red_dispatcher_set_mm_time(mm_time); +-} +- + void reds_enable_mm_timer(void) + { + core->timer_start(reds->mm_timer, MM_TIMER_GRANULARITY_MS); +diff --git a/server/reds.h b/server/reds.h +index 1c5ae84..24b4d95 100644 +--- a/server/reds.h ++++ b/server/reds.h +@@ -122,7 +122,6 @@ void reds_handle_channel_event(int event, SpiceChannelEventInfo *info); + + void reds_disable_mm_timer(void); + void reds_enable_mm_timer(void); +-void reds_update_mm_timer(uint32_t mm_time); + uint32_t reds_get_mm_time(void); + void reds_set_client_mouse_allowed(int is_client_mouse_allowed, + int x_res, int y_res); diff --git a/SOURCES/0074-Remove-guest-side-video-time-stamping.patch b/SOURCES/0074-Remove-guest-side-video-time-stamping.patch new file mode 100644 index 0000000..28f0440 --- /dev/null +++ b/SOURCES/0074-Remove-guest-side-video-time-stamping.patch @@ -0,0 +1,154 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Sun, 2 Nov 2014 22:11:58 +0100 +Subject: [PATCH] Remove guest side video time-stamping + +The multimedia time is defined by the server side monotonic time [1], +but the drawing time-stamp is done in guest side, so it requires +synchronization between host and guest. This is expensive, when no audio +is playing, there is a ~30x/sec wakeup to update the qxl device mmtime, +and it requires marking dirty the rom region. + +Instead, the video timestamping can be done more efficiently on server +side, without visible drawbacks. + +[1] a better timestamp could be the audio time, since audio players are + usually sync with audio time) + +Related to: +https://bugzilla.redhat.com/show_bug.cgi?id=912763 +--- + server/red_dispatcher.c | 9 --------- + server/red_worker.c | 1 + + server/reds-private.h | 2 -- + server/reds.c | 13 ------------- + server/snd_worker.c | 1 - + server/spice.h | 3 ++- + 6 files changed, 3 insertions(+), 26 deletions(-) + +diff --git a/server/red_dispatcher.c b/server/red_dispatcher.c +index 2ebde63..6ecd3d4 100644 +--- a/server/red_dispatcher.c ++++ b/server/red_dispatcher.c +@@ -749,15 +749,6 @@ static void qxl_worker_loadvm_commands(QXLWorker *qxl_worker, + red_dispatcher_loadvm_commands((RedDispatcher*)qxl_worker, ext, count); + } + +-void red_dispatcher_set_mm_time(uint32_t mm_time) +-{ +- RedDispatcher *now = dispatchers; +- while (now) { +- now->qxl->st->qif->set_mm_time(now->qxl, mm_time); +- now = now->next; +- } +-} +- + static inline int calc_compression_level(void) + { + spice_assert(streaming_video != STREAM_VIDEO_INVALID); +diff --git a/server/red_worker.c b/server/red_worker.c +index f9179a6..dfa5274 100644 +--- a/server/red_worker.c ++++ b/server/red_worker.c +@@ -4237,6 +4237,7 @@ static inline void red_process_drawable(RedWorker *worker, RedDrawable *drawable + return; + } + ++ drawable->mm_time = reds_get_mm_time(); + surface_id = item->surface_id; + + worker->surfaces[surface_id].refs++; +diff --git a/server/reds-private.h b/server/reds-private.h +index 9358d27..46899f6 100644 +--- a/server/reds-private.h ++++ b/server/reds-private.h +@@ -6,7 +6,6 @@ + #include + + #define MIGRATE_TIMEOUT (1000 * 10) /* 10sec */ +-#define MM_TIMER_GRANULARITY_MS (1000 / 30) + #define MM_TIME_DELTA 400 /*ms*/ + + typedef struct TicketAuthentication { +@@ -159,7 +158,6 @@ typedef struct RedsState { + int dispatcher_allows_client_mouse; + MonitorMode monitor_mode; + SpiceTimer *mig_timer; +- SpiceTimer *mm_timer; + + int vm_running; + Ring char_devs_states; /* list of SpiceCharDeviceStateItem */ +diff --git a/server/reds.c b/server/reds.c +index 53f21bd..f4c6d1d 100644 +--- a/server/reds.c ++++ b/server/reds.c +@@ -3574,7 +3574,6 @@ uint32_t reds_get_mm_time(void) + + void reds_enable_mm_timer(void) + { +- core->timer_start(reds->mm_timer, MM_TIMER_GRANULARITY_MS); + reds->mm_timer_enabled = TRUE; + reds->mm_time_latency = MM_TIME_DELTA; + reds_send_mm_time(); +@@ -3582,16 +3581,9 @@ void reds_enable_mm_timer(void) + + void reds_disable_mm_timer(void) + { +- core->timer_cancel(reds->mm_timer); + reds->mm_timer_enabled = FALSE; + } + +-static void mm_timer_proc(void *opaque) +-{ +- red_dispatcher_set_mm_time(reds_get_mm_time()); +- core->timer_start(reds->mm_timer, MM_TIMER_GRANULARITY_MS); +-} +- + static SpiceCharDeviceState *attach_to_red_agent(SpiceCharDeviceInstance *sin) + { + VDIPortState *state = &reds->agent_state; +@@ -4029,11 +4021,6 @@ static int do_spice_init(SpiceCoreInterface *core_interface) + } + #endif + +- if (!(reds->mm_timer = core->timer_add(mm_timer_proc, NULL))) { +- spice_error("mm timer create failed"); +- } +- reds_enable_mm_timer(); +- + if (reds_init_net() < 0) { + goto err; + } +diff --git a/server/snd_worker.c b/server/snd_worker.c +index c451031..b6cb62b 100644 +--- a/server/snd_worker.c ++++ b/server/snd_worker.c +@@ -1113,7 +1113,6 @@ SPICE_GNUC_VISIBLE void spice_server_playback_put_samples(SpicePlaybackInstance + snd_playback_free_frame(playback_channel, playback_channel->pending_frame); + } + frame->time = reds_get_mm_time(); +- red_dispatcher_set_mm_time(frame->time); + playback_channel->pending_frame = frame; + snd_set_command(&playback_channel->base, SND_PLAYBACK_PCM_MASK); + snd_playback_send(&playback_channel->base); +diff --git a/server/spice.h b/server/spice.h +index 7b5e04e..9c8e18a 100644 +--- a/server/spice.h ++++ b/server/spice.h +@@ -20,6 +20,7 @@ + + #include + #include ++#include + #include + #include + +@@ -228,7 +229,7 @@ struct QXLInterface { + + void (*attache_worker)(QXLInstance *qin, QXLWorker *qxl_worker); + void (*set_compression_level)(QXLInstance *qin, int level); +- void (*set_mm_time)(QXLInstance *qin, uint32_t mm_time); ++ void (*set_mm_time)(QXLInstance *qin, uint32_t mm_time) SPICE_GNUC_DEPRECATED; + + void (*get_init_info)(QXLInstance *qin, QXLDevInitInfo *info); + int (*get_command)(QXLInstance *qin, struct QXLCommandExt *cmd); diff --git a/SOURCES/0075-char-device-fix-usage-of-free-unref-on-WriteBuffer.patch b/SOURCES/0075-char-device-fix-usage-of-free-unref-on-WriteBuffer.patch new file mode 100644 index 0000000..80704a0 --- /dev/null +++ b/SOURCES/0075-char-device-fix-usage-of-free-unref-on-WriteBuffer.patch @@ -0,0 +1,105 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Victor Toso +Date: Wed, 19 Aug 2015 10:53:22 +0200 +Subject: [PATCH] char-device: fix usage of free/unref on WriteBuffer + +There are places were the could should definetly free the +SpiceCharDeviceWriteBuffer and places that it should only unref it. The +current use of spice_char_device_write_buffer_free was missleading. + +This patch creates the spice_char_device_write_buffer_unref and properly +call these two functions. + +Related: https://bugs.freedesktop.org/show_bug.cgi?id=91350 +--- + server/char_device.c | 34 ++++++++++++++++++++++------------ + 1 file changed, 22 insertions(+), 12 deletions(-) + +diff --git a/server/char_device.c b/server/char_device.c +index c6dc45b..dd367ab 100644 +--- a/server/char_device.c ++++ b/server/char_device.c +@@ -80,6 +80,7 @@ enum { + * destroyed during a callback */ + static void spice_char_device_state_ref(SpiceCharDeviceState *char_dev); + static void spice_char_device_state_unref(SpiceCharDeviceState *char_dev); ++static void spice_char_device_write_buffer_unref(SpiceCharDeviceWriteBuffer *write_buf); + + static void spice_char_dev_write_retry(void *opaque); + +@@ -90,10 +91,11 @@ typedef struct SpiceCharDeviceMsgToClientItem { + + static void spice_char_device_write_buffer_free(SpiceCharDeviceWriteBuffer *buf) + { +- if (--buf->refs == 0) { +- free(buf->buf); +- free(buf); +- } ++ if (buf == NULL) ++ return; ++ ++ free(buf->buf); ++ free(buf); + } + + static void write_buffers_queue_free(Ring *write_queue) +@@ -116,9 +118,11 @@ static void spice_char_device_write_buffer_pool_add(SpiceCharDeviceState *dev, + buf->origin = WRITE_BUFFER_ORIGIN_NONE; + buf->client = NULL; + ring_add(&dev->write_bufs_pool, &buf->link); +- } else { +- --buf->refs; ++ return; + } ++ ++ /* Buffer still being used - just unref for the caller */ ++ spice_char_device_write_buffer_unref(buf); + } + + static void spice_char_device_client_send_queue_free(SpiceCharDeviceState *dev, +@@ -581,6 +585,15 @@ static SpiceCharDeviceWriteBuffer *spice_char_device_write_buffer_ref(SpiceCharD + return write_buf; + } + ++static void spice_char_device_write_buffer_unref(SpiceCharDeviceWriteBuffer *write_buf) ++{ ++ spice_assert(write_buf); ++ ++ write_buf->refs--; ++ if (write_buf->refs == 0) ++ spice_char_device_write_buffer_free(write_buf); ++} ++ + void spice_char_device_write_buffer_add(SpiceCharDeviceState *dev, + SpiceCharDeviceWriteBuffer *write_buf) + { +@@ -607,8 +620,7 @@ void spice_char_device_write_buffer_release(SpiceCharDeviceState *dev, + spice_assert(!ring_item_is_linked(&write_buf->link)); + if (!dev) { + spice_printerr("no device. write buffer is freed"); +- free(write_buf->buf); +- free(write_buf); ++ spice_char_device_write_buffer_free(write_buf); + return; + } + +@@ -715,9 +727,7 @@ void spice_char_device_state_destroy(SpiceCharDeviceState *char_dev) + } + write_buffers_queue_free(&char_dev->write_queue); + write_buffers_queue_free(&char_dev->write_bufs_pool); +- if (char_dev->cur_write_buf) { +- spice_char_device_write_buffer_free(char_dev->cur_write_buf); +- } ++ spice_char_device_write_buffer_free(char_dev->cur_write_buf); + + while (!ring_is_empty(&char_dev->clients)) { + RingItem *item = ring_get_tail(&char_dev->clients); +@@ -883,7 +893,7 @@ static void migrate_data_marshaller_write_buffer_free(uint8_t *data, void *opaqu + { + SpiceCharDeviceWriteBuffer *write_buf = (SpiceCharDeviceWriteBuffer *)opaque; + +- spice_char_device_write_buffer_free(write_buf); ++ spice_char_device_write_buffer_unref(write_buf); + } + + void spice_char_device_state_migrate_data_marshall(SpiceCharDeviceState *dev, diff --git a/SOURCES/0076-spicevmc-set-state-of-DeviceInstance-to-NULL.patch b/SOURCES/0076-spicevmc-set-state-of-DeviceInstance-to-NULL.patch new file mode 100644 index 0000000..f5afa21 --- /dev/null +++ b/SOURCES/0076-spicevmc-set-state-of-DeviceInstance-to-NULL.patch @@ -0,0 +1,25 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Victor Toso +Date: Fri, 13 Nov 2015 10:46:43 +0100 +Subject: [PATCH] spicevmc: set state of DeviceInstance to NULL + +After spice_char_device_state_destroy is called spicevmc should not keep +reference to that memory. state->chardev_st and sin->st point to the +same SpiceCharDeviceState and both should be set to NULL when it is +destroyed. +--- + server/spicevmc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/server/spicevmc.c b/server/spicevmc.c +index e10f183..94cb8a7 100644 +--- a/server/spicevmc.c ++++ b/server/spicevmc.c +@@ -559,6 +559,7 @@ void spicevmc_device_disconnect(SpiceCharDeviceInstance *sin) + } + spice_char_device_state_destroy(sin->st); + state->chardev_st = NULL; ++ sin->st = NULL; + + reds_unregister_channel(&state->channel); + free(state->pipe_item); diff --git a/SOURCES/0077-char-device-set-to-NULL-freed-pointers-on-destroy.patch b/SOURCES/0077-char-device-set-to-NULL-freed-pointers-on-destroy.patch new file mode 100644 index 0000000..ef4660b --- /dev/null +++ b/SOURCES/0077-char-device-set-to-NULL-freed-pointers-on-destroy.patch @@ -0,0 +1,31 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Victor Toso +Date: Fri, 13 Nov 2015 10:44:55 +0100 +Subject: [PATCH] char-device: set to NULL freed pointers on destroy + +As SpiceCharDeviceState is only unref'ed on +spice_char_device_state_destroy the same device could be destroyed more +then once so the pointers that are freed should be set to NULL. + +Related: https://bugzilla.redhat.com/show_bug.cgi?id=1281455 +--- + server/char_device.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/server/char_device.c b/server/char_device.c +index dd367ab..285299c 100644 +--- a/server/char_device.c ++++ b/server/char_device.c +@@ -724,10 +724,12 @@ void spice_char_device_state_destroy(SpiceCharDeviceState *char_dev) + reds_on_char_device_state_destroy(char_dev); + if (char_dev->write_to_dev_timer) { + core->timer_remove(char_dev->write_to_dev_timer); ++ char_dev->write_to_dev_timer = NULL; + } + write_buffers_queue_free(&char_dev->write_queue); + write_buffers_queue_free(&char_dev->write_bufs_pool); + spice_char_device_write_buffer_free(char_dev->cur_write_buf); ++ char_dev->cur_write_buf = NULL; + + while (!ring_is_empty(&char_dev->clients)) { + RingItem *item = ring_get_tail(&char_dev->clients); diff --git a/SOURCES/0078-channel-add-option-tcp-keepalive-timeout-to-channels.patch b/SOURCES/0078-channel-add-option-tcp-keepalive-timeout-to-channels.patch new file mode 100644 index 0000000..8b81a8d --- /dev/null +++ b/SOURCES/0078-channel-add-option-tcp-keepalive-timeout-to-channels.patch @@ -0,0 +1,86 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Sunny Shin +Date: Tue, 1 Dec 2015 13:46:30 +0900 +Subject: [PATCH] channel: add option tcp keepalive timeout to channels + +--- + server/reds-private.h | 1 + + server/reds.c | 22 ++++++++++++++++++++++ + server/spice-server.syms | 5 +++++ + server/spice.h | 1 + + 4 files changed, 29 insertions(+) + +diff --git a/server/reds-private.h b/server/reds-private.h +index 46899f6..0f7ab65 100644 +--- a/server/reds-private.h ++++ b/server/reds-private.h +@@ -162,6 +162,7 @@ typedef struct RedsState { + int vm_running; + Ring char_devs_states; /* list of SpiceCharDeviceStateItem */ + int seamless_migration_enabled; /* command line arg */ ++ int keepalive_timeout; + + SSL_CTX *ctx; + +diff --git a/server/reds.c b/server/reds.c +index f4c6d1d..a28027e 100644 +--- a/server/reds.c ++++ b/server/reds.c +@@ -2899,6 +2899,21 @@ static RedLinkInfo *reds_init_client_connection(int socket) + } + } + ++ if (reds->keepalive_timeout > 0) { ++ int keepalive = 1; ++ if (setsockopt(socket, SOL_SOCKET, SO_KEEPALIVE, &keepalive, sizeof(keepalive)) == -1) { ++ if (errno != ENOTSUP) { ++ spice_printerr("setsockopt for keepalive failed, %s", strerror(errno)); ++ } ++ } ++ if (setsockopt(socket, SOL_TCP, TCP_KEEPIDLE, ++ &reds->keepalive_timeout, sizeof(reds->keepalive_timeout)) == -1) { ++ if (errno != ENOTSUP) { ++ spice_printerr("setsockopt for keepalive timeout failed, %s", strerror(errno)); ++ } ++ } ++ } ++ + link = spice_new0(RedLinkInfo, 1); + stream = spice_new0(RedsStream, 1); + stream->info = spice_new0(SpiceChannelEventInfo, 1); +@@ -4690,3 +4705,10 @@ void reds_stream_free(RedsStream *s) + + free(s); + } ++ ++SPICE_GNUC_VISIBLE void spice_server_set_keepalive_timeout(SpiceServer *s, int timeout) ++{ ++ spice_assert(s == reds); ++ reds->keepalive_timeout = timeout; ++ spice_debug("keepalive timeout=%d", timeout); ++} +diff --git a/server/spice-server.syms b/server/spice-server.syms +index 4f2dc37..9af3354 100644 +--- a/server/spice-server.syms ++++ b/server/spice-server.syms +@@ -145,3 +145,8 @@ SPICE_SERVER_0.12.4 { + global: + spice_server_set_agent_file_xfer; + } SPICE_SERVER_0.12.3; ++ ++SPICE_SERVER_0.12.7 { ++global: ++ spice_server_set_keepalive_timeout; ++} SPICE_SERVER_0.12.4; +diff --git a/server/spice.h b/server/spice.h +index 9c8e18a..c31839d 100644 +--- a/server/spice.h ++++ b/server/spice.h +@@ -508,6 +508,7 @@ int spice_server_set_playback_compression(SpiceServer *s, int enable); + int spice_server_set_agent_mouse(SpiceServer *s, int enable); + int spice_server_set_agent_copypaste(SpiceServer *s, int enable); + int spice_server_set_agent_file_xfer(SpiceServer *s, int enable); ++void spice_server_set_keepalive_timeout(SpiceServer *s, int timeout); + + int spice_server_get_sock_info(SpiceServer *s, struct sockaddr *sa, socklen_t *salen); + int spice_server_get_peer_info(SpiceServer *s, struct sockaddr *sa, socklen_t *salen); diff --git a/SOURCES/0079-Always-enable-TCP-keepalive.patch b/SOURCES/0079-Always-enable-TCP-keepalive.patch new file mode 100644 index 0000000..be6db5c --- /dev/null +++ b/SOURCES/0079-Always-enable-TCP-keepalive.patch @@ -0,0 +1,69 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Christophe Fergeau +Date: Wed, 2 Mar 2016 12:24:11 +0100 +Subject: [PATCH] Always enable TCP keepalive + +Always enabled, hardcoded interval +as per https://bugzilla.redhat.com/show_bug.cgi?id=1298590 +--- + server/reds.c | 40 ++++++++++++++++++++++++++-------------- + 1 file changed, 26 insertions(+), 14 deletions(-) + +diff --git a/server/reds.c b/server/reds.c +index a28027e..a848828 100644 +--- a/server/reds.c ++++ b/server/reds.c +@@ -2876,6 +2876,31 @@ static void reds_handle_ssl_accept(int fd, int event, void *data) + reds_handle_new_link(link); + } + ++#define KEEPALIVE_TIMEOUT (10*60) ++ ++static bool reds_init_keepalive(int socket) ++{ ++ int keepalive = 1; ++ int keepalive_timeout = KEEPALIVE_TIMEOUT; ++ ++ if (setsockopt(socket, SOL_SOCKET, SO_KEEPALIVE, &keepalive, sizeof(keepalive)) == -1) { ++ if (errno != ENOTSUP) { ++ spice_printerr("setsockopt for keepalive failed, %s", strerror(errno)); ++ return false; ++ } ++ } ++ ++ if (setsockopt(socket, SOL_TCP, TCP_KEEPIDLE, ++ &keepalive_timeout, sizeof(keepalive_timeout)) == -1) { ++ if (errno != ENOTSUP) { ++ spice_printerr("setsockopt for keepalive timeout failed, %s", strerror(errno)); ++ return false; ++ } ++ } ++ ++ return true; ++} ++ + static RedLinkInfo *reds_init_client_connection(int socket) + { + RedLinkInfo *link; +@@ -2899,20 +2924,7 @@ static RedLinkInfo *reds_init_client_connection(int socket) + } + } + +- if (reds->keepalive_timeout > 0) { +- int keepalive = 1; +- if (setsockopt(socket, SOL_SOCKET, SO_KEEPALIVE, &keepalive, sizeof(keepalive)) == -1) { +- if (errno != ENOTSUP) { +- spice_printerr("setsockopt for keepalive failed, %s", strerror(errno)); +- } +- } +- if (setsockopt(socket, SOL_TCP, TCP_KEEPIDLE, +- &reds->keepalive_timeout, sizeof(reds->keepalive_timeout)) == -1) { +- if (errno != ENOTSUP) { +- spice_printerr("setsockopt for keepalive timeout failed, %s", strerror(errno)); +- } +- } +- } ++ reds_init_keepalive(socket); + + link = spice_new0(RedLinkInfo, 1); + stream = spice_new0(RedsStream, 1); diff --git a/SOURCES/0080-Remove-spice_server_set_keepalive_timeout.patch b/SOURCES/0080-Remove-spice_server_set_keepalive_timeout.patch new file mode 100644 index 0000000..31f1f5b --- /dev/null +++ b/SOURCES/0080-Remove-spice_server_set_keepalive_timeout.patch @@ -0,0 +1,67 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Christophe Fergeau +Date: Wed, 2 Mar 2016 12:25:23 +0100 +Subject: [PATCH] Remove spice_server_set_keepalive_timeout + +This public API is no longer needed as the keepalive interval does not +need to be configurable. This API was never in a stable 0.12 release, so +it's OK to remove it now. +--- + server/reds-private.h | 1 - + server/reds.c | 7 ------- + server/spice-server.syms | 5 ----- + server/spice.h | 1 - + 4 files changed, 14 deletions(-) + +diff --git a/server/reds-private.h b/server/reds-private.h +index 0f7ab65..46899f6 100644 +--- a/server/reds-private.h ++++ b/server/reds-private.h +@@ -162,7 +162,6 @@ typedef struct RedsState { + int vm_running; + Ring char_devs_states; /* list of SpiceCharDeviceStateItem */ + int seamless_migration_enabled; /* command line arg */ +- int keepalive_timeout; + + SSL_CTX *ctx; + +diff --git a/server/reds.c b/server/reds.c +index a848828..e7e4090 100644 +--- a/server/reds.c ++++ b/server/reds.c +@@ -4717,10 +4717,3 @@ void reds_stream_free(RedsStream *s) + + free(s); + } +- +-SPICE_GNUC_VISIBLE void spice_server_set_keepalive_timeout(SpiceServer *s, int timeout) +-{ +- spice_assert(s == reds); +- reds->keepalive_timeout = timeout; +- spice_debug("keepalive timeout=%d", timeout); +-} +diff --git a/server/spice-server.syms b/server/spice-server.syms +index 9af3354..4f2dc37 100644 +--- a/server/spice-server.syms ++++ b/server/spice-server.syms +@@ -145,8 +145,3 @@ SPICE_SERVER_0.12.4 { + global: + spice_server_set_agent_file_xfer; + } SPICE_SERVER_0.12.3; +- +-SPICE_SERVER_0.12.7 { +-global: +- spice_server_set_keepalive_timeout; +-} SPICE_SERVER_0.12.4; +diff --git a/server/spice.h b/server/spice.h +index c31839d..9c8e18a 100644 +--- a/server/spice.h ++++ b/server/spice.h +@@ -508,7 +508,6 @@ int spice_server_set_playback_compression(SpiceServer *s, int enable); + int spice_server_set_agent_mouse(SpiceServer *s, int enable); + int spice_server_set_agent_copypaste(SpiceServer *s, int enable); + int spice_server_set_agent_file_xfer(SpiceServer *s, int enable); +-void spice_server_set_keepalive_timeout(SpiceServer *s, int timeout); + + int spice_server_get_sock_info(SpiceServer *s, struct sockaddr *sa, socklen_t *salen); + int spice_server_get_peer_info(SpiceServer *s, struct sockaddr *sa, socklen_t *salen); diff --git a/SOURCES/0081-sound-do-not-modify-client-state-on-migration.patch b/SOURCES/0081-sound-do-not-modify-client-state-on-migration.patch new file mode 100644 index 0000000..1893ec9 --- /dev/null +++ b/SOURCES/0081-sound-do-not-modify-client-state-on-migration.patch @@ -0,0 +1,35 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 24 Apr 2015 14:05:00 +0200 +Subject: [PATCH] sound: do not modify client state on migration + +During migration, a volume jump is observed by the client. This is due +to qemu setting up destination server with default sound state, and the +server sending it after the client is connected. The volume is later +restored after migration is finished so there is no need to send this +default state values on connection. + +Tested with both AC97 & HDA devices. + +Fixes: +https://bugzilla.redhat.com/show_bug.cgi?id=1012868 +--- + server/snd_worker.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/server/snd_worker.c b/server/snd_worker.c +index b6cb62b..d1bfcae 100644 +--- a/server/snd_worker.c ++++ b/server/snd_worker.c +@@ -1223,7 +1223,10 @@ static void snd_set_playback_peer(RedChannel *channel, RedClient *client, RedsSt + SPICE_PLAYBACK_CAP_CELT_0_5_1) ? + playback_compression : SPICE_AUDIO_DATA_MODE_RAW; + +- on_new_playback_channel(worker); ++ if (!red_client_during_migrate_at_target(client)) { ++ on_new_playback_channel(worker); ++ } ++ + if (worker->active) { + spice_server_playback_start(st->sin); + } diff --git a/SOURCES/0082-char-device-spice_char_device_write_to_device-protec.patch b/SOURCES/0082-char-device-spice_char_device_write_to_device-protec.patch new file mode 100644 index 0000000..44b250b --- /dev/null +++ b/SOURCES/0082-char-device-spice_char_device_write_to_device-protec.patch @@ -0,0 +1,152 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Uri Lublin +Date: Mon, 2 Feb 2015 12:35:59 +0200 +Subject: [PATCH] char-device: spice_char_device_write_to_device: protect + against recursion + +This fixes Spice's smart card support and is related to +commit 697f3214fd16adcd524456003619f7f44ddd031b. + +Reported-by: Swapna Krishnan + +Recursion is now possible starting with spice_char_device_write_to_device +going through spice_char_device_wakeup (after going through qemu), +calling again to spice_char_device_write_to_device. + +The protecting code is the same as the one protecting the read path. + +This function call loop makes the program to abort with the following messages: + + usb-ccid: chardev: unexpected message of type 3000000 + qemu: qemu_mutex_lock: Resource deadlock avoided + +Backtrace: + +(gdb) bt +* #0 0x00007ffff3fc78c7 in raise () from /lib64/libc.so.6 +* #1 0x00007ffff3fc952a in abort () from /lib64/libc.so.6 +* #2 0x0000555555969a95 in error_exit (err=35, +* msg=0x5555559f8c90 <__func__.5119> "qemu_mutex_lock") +* at util/qemu-thread-posix.c:48 +* #3 0x0000555555969b82 in qemu_mutex_lock (mutex=0x5555562c4d60) +* at util/qemu-thread-posix.c:79 +* #4 0x0000555555714771 in qemu_chr_fe_write (s=0x5555562c4d60, +* buf=0x7fffffffd2a0 "", len=12) at qemu-char.c:219 +* #5 0x000055555586be49 in ccid_card_vscard_send_msg (s=0x5555565c5f80, +* type=VSC_Error, reader_id=0, payload=0x7fffffffd2e0 "", length=4) +* at hw/usb/ccid-card-passthru.c:75 +* #6 0x000055555586bf00 in ccid_card_vscard_send_error (s=0x5555565c5f80, +* reader_id=0, code=VSC_GENERAL_ERROR) at +* hw/usb/ccid-card-passthru.c:91 +* #7 0x000055555586c559 in ccid_card_vscard_handle_message ( +* card=0x5555565c5f80, scr_msg_header=0x5555565c6008) +* at hw/usb/ccid-card-passthru.c:254 +* #8 0x000055555586c72f in ccid_card_vscard_read (opaque=0x5555565c5f80, +* buf=0x5555565034b0 "", size=12) at hw/usb/ccid-card-passthru.c:289 +* #9 0x00005555557149db in qemu_chr_be_write (s=0x5555562c4d60, +* buf=0x5555565034b0 "", len=12) at qemu-char.c:305 +* #10 0x000055555571cde5 in vmc_write (sin=0x5555562c4e78, +* buf=0x5555565034b0 "", len=12) at spice-qemu-char.c:41 +* #11 0x00007ffff4fa86aa in spice_char_device_write_to_device ( +* dev=0x55555657f210) at char_device.c:462 +* #12 0x00007ffff4fa9b48 in spice_char_device_wakeup (dev=0x55555657f210) +* at char_device.c:862 +* #13 0x00007ffff4ff7658 in spice_server_char_device_wakeup +* (sin=0x5555562c4e78) at reds.c:2955 +* #14 0x000055555571d1d2 in spice_chr_write (chr=0x5555562c4d60, +* buf=0x7fffffffd560 "", len=12) at spice-qemu-char.c:189 +* #15 0x0000555555714789 in qemu_chr_fe_write (s=0x5555562c4d60, +* buf=0x7fffffffd560 "", len=12) at qemu-char.c:220 +* #16 0x000055555586be49 in ccid_card_vscard_send_msg (s=0x5555565c5f80, +* type=VSC_Error, reader_id=0, payload=0x7fffffffd5a0 "", length=4) +* at hw/usb/ccid-card-passthru.c:75 +* #17 0x000055555586bf00 in ccid_card_vscard_send_error +* (s=0x5555565c5f80, +* reader_id=0, code=VSC_SUCCESS) at hw/usb/ccid-card-passthru.c:91 +* #18 0x000055555586c4fc in ccid_card_vscard_handle_message ( +* card=0x5555565c5f80, scr_msg_header=0x5555565c6008) +* at hw/usb/ccid-card-passthru.c:242 +* #19 0x000055555586c72f in ccid_card_vscard_read (opaque=0x5555565c5f80, +* buf=0x5555565034b0 "", size=12) at hw/usb/ccid-card-passthru.c:289 +* #20 0x00005555557149db in qemu_chr_be_write (s=0x5555562c4d60, +* buf=0x5555565034b0 "", len=12) at qemu-char.c:305 +* #21 0x000055555571cde5 in vmc_write (sin=0x5555562c4e78, +* buf=0x5555565034b0 "", len=12) at spice-qemu-char.c:41 +* #22 0x00007ffff4fa86aa in spice_char_device_write_to_device ( +* dev=0x55555657f210) at char_device.c:462 +* #23 0x00007ffff4fa8d37 in spice_char_device_write_buffer_add ( +* dev=0x55555657f210, write_buf=0x555556501f70) at char_device.c:597 +* #24 0x00007ffff501142d in smartcard_channel_write_to_reader ( +* write_buf=0x555556501f70) at smartcard.c:669 +* #25 0x00007ffff501034c in smartcard_char_device_notify_reader_add ( +* st=0x55555657ef00) at smartcard.c:335 +* #26 0x00007ffff50112b3 in smartcard_add_reader (scc=0x555556493ee0, +* name=0x5555565023cc "E-Gate 0 0") at smartcard.c:642 +* #27 0x00007ffff50118d2 in smartcard_channel_handle_message ( +* rcc=0x555556493ee0, type=101, size=22, msg=0x5555565023c0 "\003") +* at smartcard.c:757 +* #28 0x00007ffff4fbc168 in red_peer_handle_incoming +* (stream=0x555556588250, handler=0x555556497ff0) at red_channel.c:308 +* #29 0x00007ffff4fbc231 in red_channel_client_receive +* (rcc=0x555556493ee0) at red_channel.c:326 +* #30 0x00007ffff4fc0019 in red_channel_client_event (fd=59, event=1, +* data=0x555556493ee0) at red_channel.c:1574 +* #31 0x00005555558b6076 in watch_read (opaque=0x5555565002f0) +* at ui/spice-core.c:101 +* #32 0x00005555558e8d48 in qemu_iohandler_poll (pollfds=0x5555562b7630, +* ret=2) at iohandler.c:143 +* #33 0x00005555558e89a4 in main_loop_wait (nonblocking=0) at +* main-loop.c:495 +* #34 0x00005555557219b0 in main_loop () at vl.c:1794 +* #35 0x0000555555729257 in main (argc=40, argv=0x7fffffffddc8, +* envp=0x7fffffffdf10) at vl.c:4350 + +(cherry picked from commit 0c1f5b00e7907aefee13f86a234558f00cd6c7ef) +--- + server/char_device.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/server/char_device.c b/server/char_device.c +index 285299c..e5d7c69 100644 +--- a/server/char_device.c ++++ b/server/char_device.c +@@ -64,6 +64,7 @@ struct SpiceCharDeviceState { + SpiceCharDeviceInstance *sin; + + int during_read_from_device; ++ int during_write_to_device; + + SpiceCharDeviceCallbacks cbs; + void *opaque; +@@ -441,6 +442,11 @@ static int spice_char_device_write_to_device(SpiceCharDeviceState *dev) + return 0; + } + ++ /* protect against recursion with spice_char_device_wakeup */ ++ if (dev->during_write_to_device++ > 0) { ++ return 0; ++ } ++ + spice_char_device_state_ref(dev); + + if (dev->write_to_dev_timer) { +@@ -465,6 +471,11 @@ static int spice_char_device_write_to_device(SpiceCharDeviceState *dev) + dev->cur_write_buf_pos; + n = sif->write(dev->sin, dev->cur_write_buf_pos, write_len); + if (n <= 0) { ++ if (dev->during_write_to_device > 1) { ++ dev->during_write_to_device = 1; ++ continue; /* a wakeup might have been called during the write - ++ make sure it doesn't get lost */ ++ } + break; + } + total += n; +@@ -489,6 +500,7 @@ static int spice_char_device_write_to_device(SpiceCharDeviceState *dev) + } + dev->active = dev->active || total; + } ++ dev->during_write_to_device = 0; + spice_char_device_state_unref(dev); + return total; + } diff --git a/SOURCES/0083-server-allows-to-set-maximum-monitors.patch b/SOURCES/0083-server-allows-to-set-maximum-monitors.patch new file mode 100644 index 0000000..fa60289 --- /dev/null +++ b/SOURCES/0083-server-allows-to-set-maximum-monitors.patch @@ -0,0 +1,119 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Fri, 19 Jun 2015 11:56:05 +0100 +Subject: [PATCH] server: allows to set maximum monitors + +spice-server will attempt to limit number of monitors. +Guest machine can send monitor list it accepts. Limiting the number sent +by guest will limit the number of monitors client will try to enable. +The guest usually see client monitors enabled and start using it so +not seeing client monitor won't try to enable more monitor. +In this case the additional monitor guest can support will always be +seen as heads with no attached monitors. +This allows limiting monitors number without changing guest drivers. + +Signed-off-by: Frediano Ziglio +--- + server/red_dispatcher.c | 10 ++++++++++ + server/red_dispatcher.h | 1 + + server/red_worker.c | 4 +++- + server/spice-server.syms | 5 +++++ + server/spice.h | 3 +++ + 5 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/server/red_dispatcher.c b/server/red_dispatcher.c +index 6ecd3d4..6b395f4 100644 +--- a/server/red_dispatcher.c ++++ b/server/red_dispatcher.c +@@ -64,6 +64,7 @@ struct RedDispatcher { + Ring async_commands; + pthread_mutex_t async_lock; + QXLDevSurfaceCreate surface_create; ++ unsigned int max_monitors; + }; + + typedef struct RedWorkeState { +@@ -701,6 +702,7 @@ static void red_dispatcher_monitors_config_async(RedDispatcher *dispatcher, + payload.base.cmd = async_command_alloc(dispatcher, message, cookie); + payload.monitors_config = monitors_config; + payload.group_id = group_id; ++ payload.max_monitors = dispatcher->max_monitors; + + dispatcher_send_message(&dispatcher->dispatcher, message, &payload); + } +@@ -995,6 +997,12 @@ void spice_qxl_monitors_config_async(QXLInstance *instance, QXLPHYSICAL monitors + } + + SPICE_GNUC_VISIBLE ++void spice_qxl_set_max_monitors(QXLInstance *instance, unsigned int max_monitors) ++{ ++ instance->st->dispatcher->max_monitors = MAX(1u, max_monitors); ++} ++ ++SPICE_GNUC_VISIBLE + void spice_qxl_driver_unload(QXLInstance *instance) + { + red_dispatcher_driver_unload(instance->st->dispatcher); +@@ -1116,6 +1124,8 @@ RedDispatcher *red_dispatcher_init(QXLInstance *qxl) + red_dispatcher->base.destroy_surface_wait = qxl_worker_destroy_surface_wait; + red_dispatcher->base.loadvm_commands = qxl_worker_loadvm_commands; + ++ red_dispatcher->max_monitors = UINT_MAX; ++ + qxl->st->qif->get_init_info(qxl, &init_info); + + init_data.memslot_id_bits = init_info.memslot_id_bits; +diff --git a/server/red_dispatcher.h b/server/red_dispatcher.h +index 7d23b11..bc4d620 100644 +--- a/server/red_dispatcher.h ++++ b/server/red_dispatcher.h +@@ -199,6 +199,7 @@ typedef struct RedWorkerMessageMonitorsConfigAsync { + RedWorkerMessageAsync base; + QXLPHYSICAL monitors_config; + int group_id; ++ unsigned int max_monitors; + } RedWorkerMessageMonitorsConfigAsync; + + typedef struct RedWorkerMessageDriverUnload { +diff --git a/server/red_worker.c b/server/red_worker.c +index dfa5274..64a7758 100644 +--- a/server/red_worker.c ++++ b/server/red_worker.c +@@ -11749,7 +11749,9 @@ static void handle_dev_monitors_config_async(void *opaque, void *payload) + /* TODO: raise guest bug (requires added QXL interface) */ + return; + } +- worker_update_monitors_config(worker, dev_monitors_config, count, max_allowed); ++ worker_update_monitors_config(worker, dev_monitors_config, ++ MIN(count, msg->max_monitors), ++ MIN(max_allowed, msg->max_monitors)); + red_worker_push_monitors_config(worker); + } + +diff --git a/server/spice-server.syms b/server/spice-server.syms +index 4f2dc37..59da512 100644 +--- a/server/spice-server.syms ++++ b/server/spice-server.syms +@@ -145,3 +145,8 @@ SPICE_SERVER_0.12.4 { + global: + spice_server_set_agent_file_xfer; + } SPICE_SERVER_0.12.3; ++ ++SPICE_SERVER_0.12.6 { ++global: ++ spice_qxl_set_max_monitors; ++} SPICE_SERVER_0.12.4; +diff --git a/server/spice.h b/server/spice.h +index 9c8e18a..3645775 100644 +--- a/server/spice.h ++++ b/server/spice.h +@@ -170,6 +170,9 @@ void spice_qxl_monitors_config_async(QXLInstance *instance, QXLPHYSICAL monitors + int group_id, uint64_t cookie); + /* since spice 0.12.3 */ + void spice_qxl_driver_unload(QXLInstance *instance); ++/* since spice 0.12.6 */ ++void spice_qxl_set_max_monitors(QXLInstance *instance, ++ unsigned int max_monitors); + + typedef struct QXLDrawArea { + uint8_t *buf; diff --git a/SOURCES/0084-Call-migrate_end_complete-after-falling-back-to-swit.patch b/SOURCES/0084-Call-migrate_end_complete-after-falling-back-to-swit.patch new file mode 100644 index 0000000..b33d17a --- /dev/null +++ b/SOURCES/0084-Call-migrate_end_complete-after-falling-back-to-swit.patch @@ -0,0 +1,41 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Wed, 20 Jul 2016 17:16:31 +0400 +Subject: [PATCH] Call migrate_end_complete() after falling back to switch-host +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Eventually, during a seamless migration, qemu may finish to migrate +before the spice client even finished to connect all channels to +destination and informed the server. In this case, +main_channel_client_migrate_src_complete() will fall back to +switch-host method, and reds_mig_fill_wait_disconnect() is called to +complete the migration (disconnecting all channels). + +reds_mig_cleanup() is called when all channels are disconnected, but +reds->mig_wait_connect is still TRUE, and it will call +migrate_connect_complete() instead of the expected +migrate_end_complete(). Setting reds->mig_wait_connect to FALSE when +reds_mig_fill_wait_disconnect() solves the issue. + +Fixes: +https://bugzilla.redhat.com/show_bug.cgi?id=1352836 + +Signed-off-by: Marc-AndrĂ© Lureau +--- + server/reds.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/server/reds.c b/server/reds.c +index e7e4090..9e1d5e7 100644 +--- a/server/reds.c ++++ b/server/reds.c +@@ -3500,6 +3500,7 @@ static void reds_mig_fill_wait_disconnect(void) + wait_client->client = client; + ring_add(&reds->mig_wait_disconnect_clients, &wait_client->link); + } ++ reds->mig_wait_connect = FALSE; + reds->mig_wait_disconnect = TRUE; + core->timer_start(reds->mig_timer, MIGRATE_TIMEOUT); + } diff --git a/SPECS/spice.spec b/SPECS/spice.spec index 33a94ff..88a3616 100644 --- a/SPECS/spice.spec +++ b/SPECS/spice.spec @@ -1,6 +1,6 @@ Name: spice Version: 0.12.4 -Release: 15%{?dist}.2 +Release: 19%{?dist} Summary: Implements the SPICE protocol Group: User Interface/Desktops License: LGPLv2+ @@ -74,7 +74,22 @@ Patch65: 0065-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch Patch66: 0066-smartcard-allocate-msg-with-the-expected-size.patch Patch67: 0067-create-a-function-to-validate-surface-parameters.patch Patch68: 0068-improve-primary-surface-parameter-checks.patch -Patch69: 0069-red-channel-make-red_client_-ref-unref-thread-safe.patch +Patch69: 0069-reds-Do-not-abort-due-to-wrong-header.patch +Patch70: 0070-memslot-do-not-crash-if-guest-provide-a-wrong-addres.patch +Patch71: 0071-red-channel-make-red_client_-ref-unref-thread-safe.patch +Patch72: 0072-chardev-remove-write-polling.patch +Patch73: 0073-clean-up-remove-unused-function.patch +Patch74: 0074-Remove-guest-side-video-time-stamping.patch +Patch75: 0075-char-device-fix-usage-of-free-unref-on-WriteBuffer.patch +Patch76: 0076-spicevmc-set-state-of-DeviceInstance-to-NULL.patch +Patch77: 0077-char-device-set-to-NULL-freed-pointers-on-destroy.patch +Patch78: 0078-channel-add-option-tcp-keepalive-timeout-to-channels.patch +Patch79: 0079-Always-enable-TCP-keepalive.patch +Patch80: 0080-Remove-spice_server_set_keepalive_timeout.patch +Patch81: 0081-sound-do-not-modify-client-state-on-migration.patch +Patch82: 0082-char-device-spice_char_device_write_to_device-protec.patch +Patch83: 0083-server-allows-to-set-maximum-monitors.patch +Patch84: 0084-Call-migrate_end_complete-after-falling-back-to-swit.patch # https://bugzilla.redhat.com/show_bug.cgi?id=613529 @@ -91,6 +106,7 @@ BuildRequires: celt051-devel BuildRequires: pixman-devel alsa-lib-devel openssl-devel libjpeg-turbo-devel BuildRequires: libcacard-devel cyrus-sasl-devel BuildRequires: pyparsing +BuildRequires: git %description The Simple Protocol for Independent Computing Environments (SPICE) is @@ -130,76 +146,7 @@ using spice-server, you will need to install spice-server-devel. %prep -%setup -q -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 -%patch16 -p1 -%patch17 -p1 -%patch18 -p1 -%patch19 -p1 -%patch20 -p1 -%patch21 -p1 -%patch22 -p1 -%patch23 -p1 -%patch24 -p1 -%patch25 -p1 -%patch26 -p1 -%patch27 -p1 -%patch28 -p1 -%patch29 -p1 -%patch30 -p1 -%patch31 -p1 -%patch32 -p1 -%patch33 -p1 -%patch34 -p1 -%patch35 -p1 -%patch36 -p1 -%patch37 -p1 -%patch38 -p1 -%patch39 -p1 -%patch40 -p1 -%patch41 -p1 -%patch42 -p1 -%patch43 -p1 -%patch44 -p1 -%patch45 -p1 -%patch46 -p1 -%patch47 -p1 -%patch48 -p1 -%patch49 -p1 -%patch50 -p1 -%patch51 -p1 -%patch52 -p1 -%patch53 -p1 -%patch54 -p1 -%patch55 -p1 -%patch56 -p1 -%patch57 -p1 -%patch58 -p1 -%patch59 -p1 -%patch60 -p1 -%patch61 -p1 -%patch62 -p1 -%patch63 -p1 -%patch64 -p1 -%patch65 -p1 -%patch66 -p1 -%patch67 -p1 -%patch68 -p1 -%patch69 -p1 +%autosetup -S git_am %build @@ -230,12 +177,36 @@ mkdir -p %{buildroot}%{_libexecdir} %changelog -* Fri Aug 05 2016 Christophe Fergeau 0.12.4-15.2 +* Fri Sep 09 2016 Christophe Fergeau 0.12.4-19 +- Ensure SPICE_MIGRATE_COMPLETED is sent in all cases when it's needed. + Resolves: rhbz#1352836 +* Fri Jul 01 2016 Christophe Fergeau - 0.12.4-18 +- Fix crash when connecting to VM using smartcard passthrough + Resolves: rhbz#1340899 +- Fix hang after unredirecting a USB device + Resolves: rhbz#1338752 +- Backport spice_qxl_set_max_monitors() + Resolves: rhbz#1283202 +* Wed Apr 27 2016 Christophe Fergeau - 0.12.4-17 +- Fix crash when the client sends a wrong header (for example when using spice-html5) + Resolves: rhbz#1281442 +- Fix crash when guest provides wrong address + Resolves: rhbz#1264356 - Fix thread-safety issue causing a crash when playing a Youtube video spanning multiple monitors Resolves: rhbz#1253375 - -* Mon Apr 25 2016 Christophe Fergeau - 0.12.4-15.1 +- Add patches reducing QEMU wake-ups + Related: rhbz#912763, rhbz#1186146 +- Fix use-after-free after resetting a VM + Resolves: rhbz#1281455 +- Send KeepAlive probes every 10 minutes + Resolves: rhbz#1298590 +- Add client to guest volume synchronization + Resolves: rhbz#1264107 + +* Mon Apr 25 2016 Christophe Fergeau - 0.12.4-16 +- Use autosetup + Related: CVE-2016-0749 - Fix heap-based memory corruption within smartcard handling Resolves: CVE-2016-0749 - Fix host memory access from guest with invalid primary surface parameters