diff --git a/hw/display/cirrus_vga_rop.h b/hw/display/cirrus_vga_rop.h index c61a677353..0841b9efa9 100644 --- a/hw/display/cirrus_vga_rop.h +++ b/hw/display/cirrus_vga_rop.h @@ -219,7 +219,7 @@ glue(glue(cirrus_bitblt_rop_bkwd_transp_, ROP_NAME),_16)(CirrusVGAState *s, srcpitch += bltwidth; for (y = 0; y < bltheight; y++) { for (x = 0; x < bltwidth; x+=2) { - ROP_OP_TR_16(s, dstaddr, cirrus_src16(s, srcaddr), transp); + ROP_OP_TR_16(s, dstaddr - 1, cirrus_src16(s, srcaddr - 1), transp); dstaddr -= 2; srcaddr -= 2; } diff --git a/ui/console.c b/ui/console.c index 4c70d8bfda..937c950840 100644 --- a/ui/console.c +++ b/ui/console.c @@ -1575,13 +1575,32 @@ bool dpy_gfx_check_format(QemuConsole *con, return true; } +/* + * Safe DPY refresh for TCG guests. This runs when the TCG vCPUs are + * quiescent so we can avoid races between dirty page tracking for + * direct frame-buffer access by the guest. + * + * This is a temporary stopgap until we've fixed the dirty tracking + * races in display adapters. + */ +static void do_safe_dpy_refresh(CPUState *cpu, run_on_cpu_data opaque) +{ + DisplayChangeListener *dcl = opaque.host_ptr; + dcl->ops->dpy_refresh(dcl); +} + static void dpy_refresh(DisplayState *s) { DisplayChangeListener *dcl; QLIST_FOREACH(dcl, &s->listeners, next) { if (dcl->ops->dpy_refresh) { - dcl->ops->dpy_refresh(dcl); + if (tcg_enabled()) { + async_safe_run_on_cpu(first_cpu, do_safe_dpy_refresh, + RUN_ON_CPU_HOST_PTR(dcl)); + } else { + dcl->ops->dpy_refresh(dcl); + } } } } diff --git a/ui/vnc.c b/ui/vnc.c index 8bfb1e0685..6e93b883b5 100644 --- a/ui/vnc.c +++ b/ui/vnc.c @@ -3677,6 +3677,7 @@ static int vnc_display_listen_addr(VncDisplay *vd, qio_channel_set_name(QIO_CHANNEL(sioc), name); if (qio_channel_socket_listen_sync( sioc, rawaddrs[i], listenerr == NULL ? &listenerr : NULL) < 0) { + object_unref(OBJECT(sioc)); continue; } listening = true;