Markus Armbruster
2007-Nov-13 16:43 UTC
[Xen-devel] [PATCH 0/2][PVFB][TOOLS] Bogus screen updates
The PVFB frontend can get confused and send a bogus screen update to the back end when the screen is clean. Two parts: fix the frontend not to do that, and fix the backend not to choke on it. _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Markus Armbruster
2007-Nov-13 16:44 UTC
[Xen-devel] [PATCH 1/2][PVFB][TOOLS] PVFB frontend can send bogus screen updates
The PVFB frontend can get confused and send a screen update to the
backend when the screen is actually clean. Such an update asks for
the impossible rectangle (x1, x2, y1, y2) = (INT_MAX, 0, INT_MAX, 0).
Fix by setting the dirty flag in the obvious place: when the dirty
rectangle is grown.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
diff -r cf8b6cafa2f0 drivers/xen/fbfront/xenfb.c
--- a/drivers/xen/fbfront/xenfb.c Thu Nov 08 18:26:08 2007 +0000
+++ b/drivers/xen/fbfront/xenfb.c Tue Nov 13 17:32:48 2007 +0100
@@ -201,6 +201,11 @@ static void xenfb_update_screen(struct x
mutex_unlock(&info->mm_lock);
+ if (x2 < x1 || y2 < y1) {
+ printk("xenfb_update_screen bogus rect %d %d %d %d\n",
+ x1, x2, y1, y2);
+ WARN_ON(1);
+ }
xenfb_do_update(info, x1, y1, x2 - x1, y2 - y1);
}
@@ -252,7 +257,6 @@ static void xenfb_timer(unsigned long da
static void xenfb_timer(unsigned long data)
{
struct xenfb_info *info = (struct xenfb_info *)data;
- info->dirty = 1;
wake_up(&info->wq);
}
@@ -272,6 +276,7 @@ static void __xenfb_refresh(struct xenfb
info->x1 = x1;
if (info->x2 < x2)
info->x2 = x2;
+ info->dirty = 1;
if (timer_pending(&info->refresh))
return;
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
Markus Armbruster
2007-Nov-13 16:44 UTC
[Xen-devel] [PATCH 2/2][PVFB][TOOLS] PVFB SDL backend chokes on bogus screen updates
Bogus screen update requests from buggy or malicous frontend make SDL
crash. The VNC backend silently ignores them. Catch and log them.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
diff -r 837f83225153 tools/ioemu/hw/xenfb.c
--- a/tools/ioemu/hw/xenfb.c Fri Nov 09 12:08:37 2007 +0000
+++ b/tools/ioemu/hw/xenfb.c Tue Nov 13 17:30:22 2007 +0100
@@ -488,12 +488,27 @@ static void xenfb_on_fb_event(struct xen
rmb(); /* ensure we see ring contents up to prod */
for (cons = page->out_cons; cons != prod; cons++) {
union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons);
+ int x, y, w, h;
switch (event->type) {
case XENFB_TYPE_UPDATE:
- xenfb_guest_copy(xenfb,
- event->update.x, event->update.y,
- event->update.width, event->update.height);
+ x = MAX(event->update.x, 0);
+ y = MAX(event->update.y, 0);
+ w = MIN(event->update.width, xenfb->width - x);
+ h = MIN(event->update.height, xenfb->height - y);
+ if (w < 0 || h < 0) {
+ fprintf(stderr, "%s bogus update ignored\n",
+ xenfb->fb.nodename);
+ break;
+ }
+ if (x != event->update.x || y != event->update.y
+ || w != event->update.width
+ || h != event->update.height) {
+ fprintf(stderr, "%s bogus update clipped\n",
+ xenfb->fb.nodename);
+ break;
+ }
+ xenfb_guest_copy(xenfb, x, y, w, h);
break;
}
}
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel