From 153d02e338a063ad5c51ff0725d5d88285f44121 Mon Sep 17 00:00:00 2001 From: Amos Kong Date: Tue, 16 Apr 2013 13:47:32 +0800 Subject: [PATCH 1/2] monitor: fix the wrong order of releasing keys (qemu) sendkey ctrl_r-scroll_lock-scroll_lock Executing this command could not let Windows guest panic, it caused by the wrong order of releasing keys. This problem was introduced by commit e4c8f004c55d9da3eae3e14df740238bf805b5d6. The right release order should be starting from last item. Signed-off-by: Amos Kong Signed-off-by: Luiz Capitulino --- ui/input.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/ui/input.c b/ui/input.c index 9abef0cd78..ecfeb43824 100644 --- a/ui/input.c +++ b/ui/input.c @@ -234,13 +234,11 @@ static void free_keycodes(void) static void release_keys(void *opaque) { - int i; - - for (i = 0; i < keycodes_size; i++) { - if (keycodes[i] & 0x80) { + while (keycodes_size > 0) { + if (keycodes[--keycodes_size] & 0x80) { kbd_put_keycode(0xe0); } - kbd_put_keycode(keycodes[i]| 0x80); + kbd_put_keycode(keycodes[keycodes_size] | 0x80); } free_keycodes(); From dcc6ceffc066745777960a1f0d32f3a555924f65 Mon Sep 17 00:00:00 2001 From: Luiz Capitulino Date: Thu, 18 Apr 2013 11:53:32 -0400 Subject: [PATCH 2/2] virtio-balloon: fix integer overflow in BALLOON_CHANGE QMP event Because dev->actual is uint32_t, the expression 'dev->actual << VIRTIO_BALLOON_PFN_SHIFT' is truncated to 32 bits. This overflows when dev->actual >= 1048576. To reproduce: 1. Start a VM with a QMP socket and 5G of RAM 2. Connect to the QMP socket, negotiate capabilities and issue: { "execute":"balloon", "arguments": { "value": 1073741824 } } 3. Watch for BALLOON_CHANGE QMP events, the last one will incorretly be: { "timestamp": { "seconds": 1366228965, "microseconds": 245466 }, "event": "BALLOON_CHANGE", "data": { "actual": 5368709120 } } To fix it this commit casts it to ram_addr_t, which is ram_size's type. Signed-off-by: Luiz Capitulino Reviewed-by: Eric Blake --- hw/virtio/virtio-balloon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c index c2c446eb9b..76e32ceef8 100644 --- a/hw/virtio/virtio-balloon.c +++ b/hw/virtio/virtio-balloon.c @@ -275,7 +275,7 @@ static void virtio_balloon_set_config(VirtIODevice *vdev, dev->actual = le32_to_cpu(config.actual); if (dev->actual != oldactual) { qemu_balloon_changed(ram_size - - (dev->actual << VIRTIO_BALLOON_PFN_SHIFT)); + ((ram_addr_t) dev->actual << VIRTIO_BALLOON_PFN_SHIFT)); } }