Re: [Qemu-devel] [PATCH v7 4/4] hw: convert virtio-input-hid device to keycodemapdb
On Thu, Jan 25, 2018 at 04:16:19PM +0100, Gerd Hoffmann wrote: > Hi, > > > If the guest OS reboots, or otherwise re-initializes the virt-input device, > > it will read the new keycode bitmap. No matter how many keys are defined, > > the config space has a fixed 128 byte bitmap. There is, however, a size > > field defiend which says how many bytes in the bitmap are used. > > No. There is a size field saying how big the bitmap is. config space > (as in: virtio device config space) is only as big as is actually > needed, i.e. basically the highest set bit of the bitmap determines the > config space size. Oopps, I missed that subtlety, thinking we always read at least the size of "struct virtio_input_config" > > Debug patch ... > > --- a/hw/input/virtio-input.c > +++ b/hw/input/virtio-input.c > @@ -255,6 +255,8 @@ static void virtio_input_device_realize(DeviceState > *dev, Error **errp) > } > vinput->cfg_size += 8; > assert(vinput->cfg_size <= sizeof(virtio_input_config)); > +fprintf(stderr, "%s: %s: %d bytes cfg space\n", __func__, > +object_get_typename(OBJECT(dev)), vinput->cfg_size); > > virtio_init(vdev, "virtio-input", VIRTIO_ID_INPUT, > vinput->cfg_size); > > ... prints this without the patch ... > > virtio_input_device_realize: virtio-keyboard-device: 29 bytes cfg space > > ... and this with the patch: > > virtio_input_device_realize: virtio-keyboard-device: 37 bytes cfg space > > > That seems to not have any bad side effects on live migration though. > I can vmsave with unpatched qemu and vmload with patched qemu (and visa > versa). IIUC, the guest OS will only read this cfg data when the driver loads. So during vmload, ths guest won't trigger this code path. IIUC, to be affected by the incompatibility, the guest would have to be vmsave+vmload'd / migrated, at the exact time window between reading the config space size, and reading the config space data. In the old -> new case, that's still safe as we simply don't read all the data. In the new -> old case, we could be reading 37 bytes when only 29 bytes of cfg space are mapped. This is exceedingly unlikely to happen in practice, but I'm still curious what happens if we try to read too much cfg space ? > Agreeing with the analysis that guests should cope with the change just > fine, worst case being that the newly added keys are not working on > updated qemu without guest reboot. Regards, Daniel -- |: https://berrange.com -o-https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o-https://fstop138.berrange.com :| |: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|
Re: [Qemu-devel] [PATCH v7 4/4] hw: convert virtio-input-hid device to keycodemapdb
Hi, > If the guest OS reboots, or otherwise re-initializes the virt-input device, > it will read the new keycode bitmap. No matter how many keys are defined, > the config space has a fixed 128 byte bitmap. There is, however, a size > field defiend which says how many bytes in the bitmap are used. No. There is a size field saying how big the bitmap is. config space (as in: virtio device config space) is only as big as is actually needed, i.e. basically the highest set bit of the bitmap determines the config space size. Debug patch ... --- a/hw/input/virtio-input.c +++ b/hw/input/virtio-input.c @@ -255,6 +255,8 @@ static void virtio_input_device_realize(DeviceState *dev, Error **errp) } vinput->cfg_size += 8; assert(vinput->cfg_size <= sizeof(virtio_input_config)); +fprintf(stderr, "%s: %s: %d bytes cfg space\n", __func__, +object_get_typename(OBJECT(dev)), vinput->cfg_size); virtio_init(vdev, "virtio-input", VIRTIO_ID_INPUT, vinput->cfg_size); ... prints this without the patch ... virtio_input_device_realize: virtio-keyboard-device: 29 bytes cfg space ... and this with the patch: virtio_input_device_realize: virtio-keyboard-device: 37 bytes cfg space That seems to not have any bad side effects on live migration though. I can vmsave with unpatched qemu and vmload with patched qemu (and visa versa). Agreeing with the analysis that guests should cope with the change just fine, worst case being that the newly added keys are not working on updated qemu without guest reboot. So I think we can go forward with this one without breaking anything. thanks, Gerd
Re: [Qemu-devel] [PATCH v7 4/4] hw: convert virtio-input-hid device to keycodemapdb
On Wed, Jan 17, 2018 at 01:02:07PM -0600, Eric Blake wrote: > On 01/17/2018 10:41 AM, Daniel P. Berrange wrote: > > Replace the keymap_qcode table with automatically generated > > tables. > > > > Missing entries in keymap_qcode now fixed: > > > > > > > When a keycode is removed from the list of possible keycodes that host can > > send to the guest, it means that the guest OS will think it is possible > > to receive a key that in pratice can never be generated, which is harmless. > > s/pratice/practice/ > > > > > When a keycode is added to the list of possible keycodes that the host can > > send to the guest, it means that the guest OS can see an unexpected event. > > The Linux virtio_input.c driver code simply forwards this event to the > > input_event() method in the Linux input subsystem. This in turn calls > > input_handle_event(), which then calls input_get_disposition(). This method > > checks if the input event is present in the permitted keys bitmap, and if > > not returns INPUT_IGNORE_EVENT. Thus the unexpected event will get dropped, > > which is harmless. > > > > If the guest OS reboots, or otherwise re-initializes the virt-input device, > > it will read the new keycode bitmap. No matter how many keys are defined, > > the config space has a fixed 128 byte bitmap. There is, however, a size > > field defiend which says how many bytes in the bitmap are used. So the guest > > s/defiend/defined/ > > > OS reads the size of the bitmap, and then it reads the data from bitmap upto > > s/upto/up to/ > > > the designated size. So if the guest OS re-initializes at precisely the time > > that QEMU is migrated across versions, in the worst case, it could > > conceivably > > read the old size field, but then get the newly updated bitmap. If a key > > were > > added this is harmless, since it simply means it may not process the newly > > added key. If a key were removed, then it could be readnig a byte from the > > s/readnig/reading/ > > > bitmap that was not initialized. Fortunately QEMU always memsets() the > > entire > > maybe s/memsets()/memset()s/ > > > bitmap to 0, prior to setting keybits. Thus the guest OS will simply read > > zeros, which is again harmless. > > > > Based on this analysis, it is believed that there is no need to preserve the > > virtio-input-hid keymaps across migration, as the host<->guest ABI change is > > harmless and self-resolving at time of guest reboot. > > > > NB, this behaviour should perhaps be formalized in the virtio-input spec > > to declare how guest OS drivers should be written to be robust in their > > handling of the potentially changable key bitmaps. > > Your analysis of the issues, as well as the advice to enhance the > virtio-input spec to document that a guest must not react negatively to > the change, both sound reasonable. If anyone has the time to finalize the spec patch and send it to the virtio tc, that would be very welcome! IIRC the last revision was [virtio-dev] [PATCH v2] Add virtio input device specification. > > > > Signed-off-by: Daniel P. Berrange > > --- > > hw/input/virtio-input-hid.c | 136 > > +++- > > 1 file changed, 9 insertions(+), 127 deletions(-) > > Fun diffstat ratio! > > I have not closely reviewed the series, so much as noticing the grammar > on the fly. > > -- > Eric Blake, Principal Software Engineer > Red Hat, Inc. +1-919-301-3266 > Virtualization: qemu.org | libvirt.org >
Re: [Qemu-devel] [PATCH v7 4/4] hw: convert virtio-input-hid device to keycodemapdb
On 01/17/2018 10:41 AM, Daniel P. Berrange wrote: > Replace the keymap_qcode table with automatically generated > tables. > > Missing entries in keymap_qcode now fixed: > > > When a keycode is removed from the list of possible keycodes that host can > send to the guest, it means that the guest OS will think it is possible > to receive a key that in pratice can never be generated, which is harmless. s/pratice/practice/ > > When a keycode is added to the list of possible keycodes that the host can > send to the guest, it means that the guest OS can see an unexpected event. > The Linux virtio_input.c driver code simply forwards this event to the > input_event() method in the Linux input subsystem. This in turn calls > input_handle_event(), which then calls input_get_disposition(). This method > checks if the input event is present in the permitted keys bitmap, and if > not returns INPUT_IGNORE_EVENT. Thus the unexpected event will get dropped, > which is harmless. > > If the guest OS reboots, or otherwise re-initializes the virt-input device, > it will read the new keycode bitmap. No matter how many keys are defined, > the config space has a fixed 128 byte bitmap. There is, however, a size > field defiend which says how many bytes in the bitmap are used. So the guest s/defiend/defined/ > OS reads the size of the bitmap, and then it reads the data from bitmap upto s/upto/up to/ > the designated size. So if the guest OS re-initializes at precisely the time > that QEMU is migrated across versions, in the worst case, it could conceivably > read the old size field, but then get the newly updated bitmap. If a key were > added this is harmless, since it simply means it may not process the newly > added key. If a key were removed, then it could be readnig a byte from the s/readnig/reading/ > bitmap that was not initialized. Fortunately QEMU always memsets() the entire maybe s/memsets()/memset()s/ > bitmap to 0, prior to setting keybits. Thus the guest OS will simply read > zeros, which is again harmless. > > Based on this analysis, it is believed that there is no need to preserve the > virtio-input-hid keymaps across migration, as the host<->guest ABI change is > harmless and self-resolving at time of guest reboot. > > NB, this behaviour should perhaps be formalized in the virtio-input spec > to declare how guest OS drivers should be written to be robust in their > handling of the potentially changable key bitmaps. Your analysis of the issues, as well as the advice to enhance the virtio-input spec to document that a guest must not react negatively to the change, both sound reasonable. > > Signed-off-by: Daniel P. Berrange > --- > hw/input/virtio-input-hid.c | 136 > +++- > 1 file changed, 9 insertions(+), 127 deletions(-) Fun diffstat ratio! I have not closely reviewed the series, so much as noticing the grammar on the fly. -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3266 Virtualization: qemu.org | libvirt.org signature.asc Description: OpenPGP digital signature
[Qemu-devel] [PATCH v7 4/4] hw: convert virtio-input-hid device to keycodemapdb
Replace the keymap_qcode table with automatically generated
tables.
Missing entries in keymap_qcode now fixed:
Q_KEY_CODE_ASTERISK -> KEY_KPASTERISK
Q_KEY_CODE_KP_MULTIPLY -> KEY_KPASTERISK
Q_KEY_CODE_STOP -> KEY_STOP
Q_KEY_CODE_AGAIN -> KEY_AGAIN
Q_KEY_CODE_PROPS -> KEY_PROPS
Q_KEY_CODE_UNDO -> KEY_UNDO
Q_KEY_CODE_FRONT -> KEY_FRONT
Q_KEY_CODE_COPY -> KEY_COPY
Q_KEY_CODE_OPEN -> KEY_OPEN
Q_KEY_CODE_PASTE -> KEY_PASTE
Q_KEY_CODE_FIND -> KEY_FIND
Q_KEY_CODE_CUT -> KEY_CUT
Q_KEY_CODE_LF -> KEY_LINEFEED
Q_KEY_CODE_HELP -> KEY_HELP
Q_KEY_CODE_COMPOSE -> KEY_COMPOSE
Q_KEY_CODE_RO -> KEY_RO
Q_KEY_CODE_HIRAGANA -> KEY_HIRAGANA
Q_KEY_CODE_HENKAN -> KEY_HENKAN
Q_KEY_CODE_YEN -> KEY_YEN
Q_KEY_CODE_KP_COMMA -> KEY_KPCOMMA
Q_KEY_CODE_KP_EQUALS -> KEY_KPEQUAL
Q_KEY_CODE_POWER -> KEY_POWER
Q_KEY_CODE_SLEEP -> KEY_SLEEP
Q_KEY_CODE_WAKE -> KEY_WAKEUP
Q_KEY_CODE_AUDIONEXT -> KEY_NEXTSONG
Q_KEY_CODE_AUDIOPREV -> KEY_PREVIOUSSONG
Q_KEY_CODE_AUDIOSTOP -> KEY_STOPCD
Q_KEY_CODE_AUDIOPLAY -> KEY_PLAYPAUSE
Q_KEY_CODE_AUDIOMUTE -> KEY_MUTE
Q_KEY_CODE_VOLUMEUP -> KEY_VOLUMEUP
Q_KEY_CODE_VOLUMEDOWN -> KEY_VOLUMEDOWN
Q_KEY_CODE_MEDIASELECT -> KEY_MEDIA
Q_KEY_CODE_MAIL -> KEY_MAIL
Q_KEY_CODE_CALCULATOR -> KEY_CALC
Q_KEY_CODE_COMPUTER -> KEY_COMPUTER
Q_KEY_CODE_AC_HOME -> KEY_HOMEPAGE
Q_KEY_CODE_AC_BACK -> KEY_BACK
Q_KEY_CODE_AC_FORWARD -> KEY_FORWARD
Q_KEY_CODE_AC_REFRESH -> KEY_REFRESH
Q_KEY_CODE_AC_BOOKMARKS -> KEY_BOOKMARKS
NB, the virtio-input device reports a bitmask to the guest driver that
has a bit set for each Linux keycode that the host is able to send to
the guest.
Thus by adding these extra key mappings we are technically changing the
host<->guest ABI. This would also happen any time we defined new mappings
for QEMU keycodes in future.
When a keycode is removed from the list of possible keycodes that host can
send to the guest, it means that the guest OS will think it is possible
to receive a key that in pratice can never be generated, which is harmless.
When a keycode is added to the list of possible keycodes that the host can
send to the guest, it means that the guest OS can see an unexpected event.
The Linux virtio_input.c driver code simply forwards this event to the
input_event() method in the Linux input subsystem. This in turn calls
input_handle_event(), which then calls input_get_disposition(). This method
checks if the input event is present in the permitted keys bitmap, and if
not returns INPUT_IGNORE_EVENT. Thus the unexpected event will get dropped,
which is harmless.
If the guest OS reboots, or otherwise re-initializes the virt-input device,
it will read the new keycode bitmap. No matter how many keys are defined,
the config space has a fixed 128 byte bitmap. There is, however, a size
field defiend which says how many bytes in the bitmap are used. So the guest
OS reads the size of the bitmap, and then it reads the data from bitmap upto
the designated size. So if the guest OS re-initializes at precisely the time
that QEMU is migrated across versions, in the worst case, it could conceivably
read the old size field, but then get the newly updated bitmap. If a key were
added this is harmless, since it simply means it may not process the newly
added key. If a key were removed, then it could be readnig a byte from the
bitmap that was not initialized. Fortunately QEMU always memsets() the entire
bitmap to 0, prior to setting keybits. Thus the guest OS will simply read
zeros, which is again harmless.
Based on this analysis, it is believed that there is no need to preserve the
virtio-input-hid keymaps across migration, as the host<->guest ABI change is
harmless and self-resolving at time of guest reboot.
NB, this behaviour should perhaps be formalized in the virtio-input spec
to declare how guest OS drivers should be written to be robust in their
handling of the potentially changable key bitmaps.
Signed-off-by: Daniel P. Berrange
---
hw/input/virtio-input-hid.c | 136 +++-
1 file changed, 9 insertions(+), 127 deletions(-)
diff --git a/hw/input/virtio-input-hid.c b/hw/input/virtio-input-hid.c
index e78faec0b1..bd89c3e6ae 100644
--- a/hw/input/virtio-input-hid.c
+++ b/hw/input/virtio-input-hid.c
@@ -22,126 +22,7 @@
/* - */
-static const unsigned int keymap_qcode[Q_KEY_CODE__MAX] = {
-[Q_KEY_CODE_ESC] = KEY_ESC,
-[Q_KEY_CODE_1] = KEY_1,
-[Q_KEY_CODE_2] = KEY_2,
-[Q_KEY_CODE_3] = KEY_3,
-[Q_KEY_CODE_4] = KEY_4,
-[Q_KEY_CODE_5] = KEY_5,
-[Q_KEY_CODE_6] = KEY_6,
-[Q_KEY_CODE_7] = KEY_7,
-[Q_KEY_CODE_8] = KEY_8,
-[Q_KEY_CODE_9] = KEY_9,
-[Q_KEY_CODE_0] = KEY_0,
-[Q_KEY_CODE_MINUS]
