9 files changed, 302 insertions, 314 deletions

diff --git a/sysutils/xen-tools/Makefile b/sysutils/xen-tools/Makefile
index bd2a0d091351..6bec20fe778b 100644
--- a/sysutils/xen-tools/Makefile
+++ b/sysutils/xen-tools/Makefile
@@ -2,8 +2,8 @@
 
 PORTNAME=	xen
 PKGNAMESUFFIX=	-tools
-PORTVERSION=	4.7.1
-PORTREVISION=   5
+PORTVERSION=	4.7.2
+PORTREVISION=   0
 CATEGORIES=	sysutils emulators
 MASTER_SITES=	http://downloads.xenproject.org/release/xen/${PORTVERSION}/
 
@@ -44,10 +44,10 @@ QEMU_ARGS=	--disable-gtk \
 		--cxx=c++
 
 EXTRA_PATCHES=	${FILESDIR}/var_paths.patch:-p1 \
-		${FILESDIR}/xsa198.patch:-p1 \
 		${FILESDIR}/0001-libxl-fix-creation-of-pkgconf-install-dir.patch:-p1 \
 		${FILESDIR}/0001-tools-configure-fix-pkg-config-install-path-for-Free.patch:-p1 \
-		${FILESDIR}/0001-libs-xenstore-set-correct-FreeBSD-device.patch:-p1
+		${FILESDIR}/0001-libs-xenstore-set-correct-FreeBSD-device.patch:-p1 \
+		${FILESDIR}/kdd.patch:-p1
 
 CONFIGURE_ARGS+=	--with-extra-qemuu-configure-args="${QEMU_ARGS}" \
 			--with-system-seabios=${LOCALBASE}/share/seabios/bios.bin
diff --git a/sysutils/xen-tools/distinfo b/sysutils/xen-tools/distinfo
index 1b8190668041..e403b4838e0b 100644
--- a/sysutils/xen-tools/distinfo
+++ b/sysutils/xen-tools/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1480690512
-SHA256 (xen-4.7.1.tar.gz) = e87f4b0575e78657ee23d31470a15ecf1ce8c3a92a771cda46bbcd4d0d671ffe
-SIZE (xen-4.7.1.tar.gz) = 20706864
+TIMESTAMP = 1489085975
+SHA256 (xen-4.7.2.tar.gz) = 61494a56d9251e2108080f95b0dc8e3d175f1ba4da34603fc07b91cfebf358d5
+SIZE (xen-4.7.2.tar.gz) = 20714281
diff --git a/sysutils/xen-tools/files/kdd.patch b/sysutils/xen-tools/files/kdd.patch
new file mode 100644
index 000000000000..f311028eb038
--- /dev/null
+++ b/sysutils/xen-tools/files/kdd.patch
@@ -0,0 +1,36 @@
+Subject: [PATCH] tools/kdd: don't use a pointer to an unaligned field.
+
+The 'val' field in the packet is byte-aligned (because it is part of a
+packed struct), but the pointer argument to kdd_rdmsr() has the normal
+alignment constraints for a uint64_t *.  Use a local variable to make sure
+the passed pointer has the correct alignment.
+
+Reported-by: Roger Pau Monné <roger.pau@citrix.com>
+Signed-off-by: Tim Deegan <tim@xen.org>
+---
+ tools/debugger/kdd/kdd.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tools/debugger/kdd/kdd.c b/tools/debugger/kdd/kdd.c
+index 70f007e..1bd5dd5 100644
+--- a/tools/debugger/kdd/kdd.c
++++ b/tools/debugger/kdd/kdd.c
+@@ -710,11 +710,13 @@ static void kdd_handle_read_ctrl(kdd_state *s)
+ static void kdd_handle_read_msr(kdd_state *s)
+ {
+     uint32_t msr = s->rxp.cmd.msr.msr;
++    uint64_t val;
+     int ok;
+     KDD_LOG(s, "Read MSR 0x%"PRIx32"\n", msr);
+ 
+-    ok = (kdd_rdmsr(s->guest, s->cpuid, msr, &s->txp.cmd.msr.val) == 0);
++    ok = (kdd_rdmsr(s->guest, s->cpuid, msr, &val) == 0);
+     s->txp.cmd.msr.msr = msr;
++    s->txp.cmd.msr.val = val;
+     s->txp.cmd.msr.status = (ok ? KDD_STATUS_SUCCESS : KDD_STATUS_FAILURE);
+     kdd_send_cmd(s, KDD_CMD_READ_MSR, 0);
+ }
+-- 
+2.7.4
+
+
diff --git a/sysutils/xen-tools/files/xsa197-qemuu.patch b/sysutils/xen-tools/files/xsa197-qemuu.patch
deleted file mode 100644
index f7845cffd2a5..000000000000
--- a/sysutils/xen-tools/files/xsa197-qemuu.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From: Jan Beulich <jbeulich@suse.com>
-Subject: xen: fix ioreq handling
-
-Avoid double fetches and bounds check size to avoid overflowing
-internal variables.
-
-This is XSA-197.
-
-Reported-by: yanghongke <yanghongke@huawei.com>
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
-
---- a/xen-hvm.c
-+++ b/xen-hvm.c
-@@ -810,6 +810,10 @@ static void cpu_ioreq_pio(ioreq_t *req)
-     trace_cpu_ioreq_pio(req, req->dir, req->df, req->data_is_ptr, req->addr,
-                          req->data, req->count, req->size);
- 
-+    if (req->size > sizeof(uint32_t)) {
-+        hw_error("PIO: bad size (%u)", req->size);
-+    }
-+
-     if (req->dir == IOREQ_READ) {
-         if (!req->data_is_ptr) {
-             req->data = do_inp(req->addr, req->size);
-@@ -846,6 +850,10 @@ static void cpu_ioreq_move(ioreq_t *req)
-     trace_cpu_ioreq_move(req, req->dir, req->df, req->data_is_ptr, req->addr,
-                          req->data, req->count, req->size);
- 
-+    if (req->size > sizeof(req->data)) {
-+        hw_error("MMIO: bad size (%u)", req->size);
-+    }
-+
-     if (!req->data_is_ptr) {
-         if (req->dir == IOREQ_READ) {
-             for (i = 0; i < req->count; i++) {
-@@ -1010,11 +1018,13 @@ static int handle_buffered_iopage(XenIOS
-         req.df = 1;
-         req.type = buf_req->type;
-         req.data_is_ptr = 0;
-+        xen_rmb();
-         qw = (req.size == 8);
-         if (qw) {
-             buf_req = &buf_page->buf_ioreq[(rdptr + 1) %
-                                            IOREQ_BUFFER_SLOT_NUM];
-             req.data |= ((uint64_t)buf_req->data) << 32;
-+            xen_rmb();
-         }
- 
-         handle_ioreq(state, &req);
-@@ -1045,7 +1055,11 @@ static void cpu_handle_ioreq(void *opaqu
- 
-     handle_buffered_iopage(state);
-     if (req) {
--        handle_ioreq(state, req);
-+        ioreq_t copy = *req;
-+
-+        xen_rmb();
-+        handle_ioreq(state, &copy);
-+        req->data = copy.data;
- 
-         if (req->state != STATE_IOREQ_INPROCESS) {
-             fprintf(stderr, "Badness in I/O request ... not in service?!: "
diff --git a/sysutils/xen-tools/files/xsa198.patch b/sysutils/xen-tools/files/xsa198.patch
deleted file mode 100644
index dbf708491edf..000000000000
--- a/sysutils/xen-tools/files/xsa198.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 71a389ae940bc52bf897a6e5becd73fd8ede94c5 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson@eu.citrix.com>
-Date: Thu, 3 Nov 2016 16:37:40 +0000
-Subject: [PATCH] pygrub: Properly quote results, when returning them to the
- caller:
-
-* When the caller wants sexpr output, use `repr()'
-  This is what Xend expects.
-
-  The returned S-expressions are now escaped and quoted by Python,
-  generally using '...'.  Previously kernel and ramdisk were unquoted
-  and args was quoted with "..." but without proper escaping.  This
-  change may break toolstacks which do not properly dequote the
-  returned S-expressions.
-
-* When the caller wants "simple" output, crash if the delimiter is
-  contained in the returned value.
-
-  With --output-format=simple it does not seem like this could ever
-  happen, because the bootloader config parsers all take line-based
-  input from the various bootloader config files.
-
-  With --output-format=simple0, this can happen if the bootloader
-  config file contains nul bytes.
-
-This is XSA-198.
-
-Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Tested-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
-Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
----
- tools/pygrub/src/pygrub | 9 ++++++---
- 1 file changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/tools/pygrub/src/pygrub b/tools/pygrub/src/pygrub
-index 40f9584..dd0c8f7 100755
---- a/tools/pygrub/src/pygrub
-+++ b/tools/pygrub/src/pygrub
-@@ -721,14 +721,17 @@ def sniff_netware(fs, cfg):
-     return cfg
- 
- def format_sxp(kernel, ramdisk, args):
--    s = "linux (kernel %s)" % kernel
-+    s = "linux (kernel %s)" % repr(kernel)
-     if ramdisk:
--        s += "(ramdisk %s)" % ramdisk
-+        s += "(ramdisk %s)" % repr(ramdisk)
-     if args:
--        s += "(args \"%s\")" % args
-+        s += "(args %s)" % repr(args)
-     return s
-                 
- def format_simple(kernel, ramdisk, args, sep):
-+    for check in (kernel, ramdisk, args):
-+        if check is not None and sep in check:
-+            raise RuntimeError, "simple format cannot represent delimiter-containing value"
-     s = ("kernel %s" % kernel) + sep
-     if ramdisk:
-         s += ("ramdisk %s" % ramdisk) + sep
--- 
-2.1.4
-
diff --git a/sysutils/xen-tools/files/xsa208-qemuu.patch b/sysutils/xen-tools/files/xsa208-qemuu.patch
deleted file mode 100644
index b1023ee90235..000000000000
--- a/sysutils/xen-tools/files/xsa208-qemuu.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 7eaaf4ba68fab40f1945d761438bdaa44fbf37d7 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Thu, 9 Feb 2017 14:36:41 -0800
-Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
-
-When doing bitblt copy in backward mode, we should minus the
-blt width first just like the adding in the forward mode. This
-can avoid the oob access of the front of vga's vram.
-
-This is XSA-208.
-
-upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-
-{ kraxel: with backward blits (negative pitch) addr is the topmost
-          address, so check it as-is against vram size ]
-
-Cc: qemu-stable@nongnu.org
-Cc: P J P <ppandit@redhat.com>
-Cc: Laszlo Ersek <lersek@redhat.com>
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
-Reviewed-by: Laszlo Ersek <lersek@redhat.com>
-Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
----
- hw/display/cirrus_vga.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index 5198037..7bf3707 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -272,10 +272,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
- {
-     if (pitch < 0) {
-         int64_t min = addr
--            + ((int64_t)s->cirrus_blt_height-1) * pitch;
--        int32_t max = addr
--            + s->cirrus_blt_width;
--        if (min < 0 || max >= s->vga.vram_size) {
-+            + ((int64_t)s->cirrus_blt_height - 1) * pitch
-+            - s->cirrus_blt_width;
-+        if (min < -1 || addr >= s->vga.vram_size) {
-             return true;
-         }
-     } else {
--- 
-2.10.1 (Apple Git-78)
-
diff --git a/sysutils/xen-tools/files/xsa209-pre-qemuu.patch b/sysutils/xen-tools/files/xsa209-pre-qemuu.patch
deleted file mode 100644
index 08cbcce52d87..000000000000
--- a/sysutils/xen-tools/files/xsa209-pre-qemuu.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From 52b7f43c8fa185ab856bcaacda7abc9a6fc07f84 Mon Sep 17 00:00:00 2001
-From: Bruce Rogers <brogers@suse.com>
-Date: Tue, 21 Feb 2017 10:54:38 -0800
-Subject: [PATCH] display: cirrus: ignore source pitch value as needed in
- blit_is_unsafe
-
-Commit 4299b90 added a check which is too broad, given that the source
-pitch value is not required to be initialized for solid fill operations.
-This patch refines the blit_is_unsafe() check to ignore source pitch in
-that case. After applying the above commit as a security patch, we
-noticed the SLES 11 SP4 guest gui failed to initialize properly.
-
-Signed-off-by: Bruce Rogers <brogers@suse.com>
-Message-id: 20170109203520.5619-1-brogers@suse.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/display/cirrus_vga.c | 11 +++++++----
- 1 file changed, 7 insertions(+), 4 deletions(-)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index 7bf3707..34a6900 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -288,7 +288,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
-     return false;
- }
- 
--static bool blit_is_unsafe(struct CirrusVGAState *s)
-+static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
- {
-     /* should be the case, see cirrus_bitblt_start */
-     assert(s->cirrus_blt_width > 0);
-@@ -302,6 +302,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s)
-                               s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
-         return true;
-     }
-+    if (dst_only) {
-+        return false;
-+    }
-     if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
-                               s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
-         return true;
-@@ -667,7 +670,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
- 
-     dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
- 
--    if (blit_is_unsafe(s))
-+    if (blit_is_unsafe(s, false))
-         return 0;
- 
-     (*s->cirrus_rop) (s, dst, src,
-@@ -685,7 +688,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
- {
-     cirrus_fill_t rop_func;
- 
--    if (blit_is_unsafe(s)) {
-+    if (blit_is_unsafe(s, true)) {
-         return 0;
-     }
-     rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
-@@ -784,7 +787,7 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
- 
- static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
- {
--    if (blit_is_unsafe(s))
-+    if (blit_is_unsafe(s, false))
-         return 0;
- 
-     cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
--- 
-2.10.1 (Apple Git-78)
-
diff --git a/sysutils/xen-tools/files/xsa209-qemuu.patch b/sysutils/xen-tools/files/xsa209-qemuu.patch
deleted file mode 100644
index a052013e97cf..000000000000
--- a/sysutils/xen-tools/files/xsa209-qemuu.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From: Gerd Hoffmann <kraxel@redhat.com>
-Subject: [PATCH 3/3] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo
-
-CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
-and blit width, at all.  Oops.  Fix it.
-
-Security impact: high.
-
-The missing blit destination check allows to write to host memory.
-Basically same as CVE-2014-8106 for the other blit variants.
-
-The missing blit width check allows to overflow cirrus_bltbuf,
-with the attractive target cirrus_srcptr (current cirrus_bltbuf write
-position) being located right after cirrus_bltbuf in CirrusVGAState.
-
-Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker
-hasn't full control over cirrus_srcptr though, only one byte can be
-changed.  Once the first byte has been modified further writes land
-elsewhere.
-
-[ This is CVE-2017-2620 / XSA-209  - Ian Jackson ]
-
-Reported-by: Gerd Hoffmann <ghoffman@redhat.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/display/cirrus_vga.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index 0e47cf8..a093dc8 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -899,6 +899,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
- {
-     int w;
- 
-+    if (blit_is_unsafe(s, true)) {
-+        return 0;
-+    }
-+
-     s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC;
-     s->cirrus_srcptr = &s->cirrus_bltbuf[0];
-     s->cirrus_srcptr_end = &s->cirrus_bltbuf[0];
-@@ -924,6 +928,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
- 	}
-         s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height;
-     }
-+
-+    /* the blit_is_unsafe call above should catch this */
-+    assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE);
-+
-     s->cirrus_srcptr = s->cirrus_bltbuf;
-     s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
-     cirrus_update_memory_access(s);
--- 
-1.8.3.1
-
diff --git a/sysutils/xen-tools/files/xsa211-qemuu-4.7.patch b/sysutils/xen-tools/files/xsa211-qemuu-4.7.patch
new file mode 100644
index 000000000000..e4da6bd8a336
--- /dev/null
+++ b/sysutils/xen-tools/files/xsa211-qemuu-4.7.patch
@@ -0,0 +1,259 @@
+From 9de536fbc2be97ae887560f08f0fd824efa3d5db Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 14 Feb 2017 19:09:59 +0100
+Subject: [PATCH] cirrus/vnc: zap bitblit support from console code.
+
+There is a special code path (dpy_gfx_copy) to allow graphic emulation
+notify user interface code about bitblit operations carryed out by
+guests.  It is supported by cirrus and vnc server.  The intended purpose
+is to optimize display scrolls and just send over the scroll op instead
+of a full display update.
+
+This is rarely used these days though because modern guests simply don't
+use the cirrus blitter any more.  Any linux guest using the cirrus drm
+driver doesn't.  Any windows guest newer than winxp doesn't ship with a
+cirrus driver any more and thus uses the cirrus as simple framebuffer.
+
+So this code tends to bitrot and bugs can go unnoticed for a long time.
+See for example commit "3e10c3e vnc: fix qemu crash because of SIGSEGV"
+which fixes a bug lingering in the code for almost a year, added by
+commit "c7628bf vnc: only alloc server surface with clients connected".
+
+Also the vnc server will throttle the frame rate in case it figures the
+network can't keep up (send buffers are full).  This doesn't work with
+dpy_gfx_copy, for any copy operation sent to the vnc client we have to
+send all outstanding updates beforehand, otherwise the vnc client might
+run the client side blit on outdated data and thereby corrupt the
+display.  So this dpy_gfx_copy "optimization" might even make things
+worse on slow network links.
+
+Lets kill it once for all.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/cirrus_vga.c | 12 ++-----
+ include/ui/console.h    |  7 ----
+ ui/console.c            | 28 ---------------
+ ui/vnc.c                | 91 -------------------------------------------------
+ 4 files changed, 3 insertions(+), 135 deletions(-)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index 5901250..2841676 100644
+--- a/hw/display/cirrus_vga.c
++++ b/hw/display/cirrus_vga.c
+@@ -758,11 +758,6 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
+         }
+     }
+ 
+-    /* we have to flush all pending changes so that the copy
+-       is generated at the appropriate moment in time */
+-    if (notify)
+-        graphic_hw_update(s->vga.con);
+-
+     (*s->cirrus_rop) (s, s->vga.vram_ptr +
+ 		      (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
+ 		      s->vga.vram_ptr +
+@@ -771,10 +766,9 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
+ 		      s->cirrus_blt_width, s->cirrus_blt_height);
+ 
+     if (notify) {
+-        qemu_console_copy(s->vga.con,
+-			  sx, sy, dx, dy,
+-			  s->cirrus_blt_width / depth,
+-			  s->cirrus_blt_height);
++        dpy_gfx_update(s->vga.con, dx, dy,
++                       s->cirrus_blt_width / depth,
++                       s->cirrus_blt_height);
+     }
+ 
+     /* we don't have to notify the display that this portion has
+diff --git a/include/ui/console.h b/include/ui/console.h
+index 047a2b4..ed07065 100644
+--- a/include/ui/console.h
++++ b/include/ui/console.h
+@@ -166,9 +166,6 @@ typedef struct DisplayChangeListenerOps {
+                            int x, int y, int w, int h);
+     void (*dpy_gfx_switch)(DisplayChangeListener *dcl,
+                            struct DisplaySurface *new_surface);
+-    void (*dpy_gfx_copy)(DisplayChangeListener *dcl,
+-                         int src_x, int src_y,
+-                         int dst_x, int dst_y, int w, int h);
+     bool (*dpy_gfx_check_format)(DisplayChangeListener *dcl,
+                                  pixman_format_code_t format);
+ 
+@@ -233,8 +230,6 @@ int dpy_set_ui_info(QemuConsole *con, QemuUIInfo *info);
+ void dpy_gfx_update(QemuConsole *con, int x, int y, int w, int h);
+ void dpy_gfx_replace_surface(QemuConsole *con,
+                              DisplaySurface *surface);
+-void dpy_gfx_copy(QemuConsole *con, int src_x, int src_y,
+-                  int dst_x, int dst_y, int w, int h);
+ void dpy_text_cursor(QemuConsole *con, int x, int y);
+ void dpy_text_update(QemuConsole *con, int x, int y, int w, int h);
+ void dpy_text_resize(QemuConsole *con, int w, int h);
+@@ -329,8 +324,6 @@ void text_consoles_set_display(DisplayState *ds);
+ void console_select(unsigned int index);
+ void console_color_init(DisplayState *ds);
+ void qemu_console_resize(QemuConsole *con, int width, int height);
+-void qemu_console_copy(QemuConsole *con, int src_x, int src_y,
+-                       int dst_x, int dst_y, int w, int h);
+ DisplaySurface *qemu_console_surface(QemuConsole *con);
+ 
+ /* console-gl.c */
+diff --git a/ui/console.c b/ui/console.c
+index 75fc492..72d91cb 100644
+--- a/ui/console.c
++++ b/ui/console.c
+@@ -1495,27 +1495,6 @@ static void dpy_refresh(DisplayState *s)
+     }
+ }
+ 
+-void dpy_gfx_copy(QemuConsole *con, int src_x, int src_y,
+-                  int dst_x, int dst_y, int w, int h)
+-{
+-    DisplayState *s = con->ds;
+-    DisplayChangeListener *dcl;
+-
+-    if (!qemu_console_is_visible(con)) {
+-        return;
+-    }
+-    QLIST_FOREACH(dcl, &s->listeners, next) {
+-        if (con != (dcl->con ? dcl->con : active_console)) {
+-            continue;
+-        }
+-        if (dcl->ops->dpy_gfx_copy) {
+-            dcl->ops->dpy_gfx_copy(dcl, src_x, src_y, dst_x, dst_y, w, h);
+-        } else { /* TODO */
+-            dcl->ops->dpy_gfx_update(dcl, dst_x, dst_y, w, h);
+-        }
+-    }
+-}
+-
+ void dpy_text_cursor(QemuConsole *con, int x, int y)
+ {
+     DisplayState *s = con->ds;
+@@ -1968,13 +1947,6 @@ void qemu_console_resize(QemuConsole *s, int width, int height)
+     dpy_gfx_replace_surface(s, surface);
+ }
+ 
+-void qemu_console_copy(QemuConsole *con, int src_x, int src_y,
+-                       int dst_x, int dst_y, int w, int h)
+-{
+-    assert(con->console_type == GRAPHIC_CONSOLE);
+-    dpy_gfx_copy(con, src_x, src_y, dst_x, dst_y, w, h);
+-}
+-
+ DisplaySurface *qemu_console_surface(QemuConsole *console)
+ {
+     return console->surface;
+diff --git a/ui/vnc.c b/ui/vnc.c
+index 52c6809..61ab611 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -908,96 +908,6 @@ int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
+     return n;
+ }
+ 
+-static void vnc_copy(VncState *vs, int src_x, int src_y, int dst_x, int dst_y, int w, int h)
+-{
+-    /* send bitblit op to the vnc client */
+-    vnc_lock_output(vs);
+-    vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
+-    vnc_write_u8(vs, 0);
+-    vnc_write_u16(vs, 1); /* number of rects */
+-    vnc_framebuffer_update(vs, dst_x, dst_y, w, h, VNC_ENCODING_COPYRECT);
+-    vnc_write_u16(vs, src_x);
+-    vnc_write_u16(vs, src_y);
+-    vnc_unlock_output(vs);
+-    vnc_flush(vs);
+-}
+-
+-static void vnc_dpy_copy(DisplayChangeListener *dcl,
+-                         int src_x, int src_y,
+-                         int dst_x, int dst_y, int w, int h)
+-{
+-    VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
+-    VncState *vs, *vn;
+-    uint8_t *src_row;
+-    uint8_t *dst_row;
+-    int i, x, y, pitch, inc, w_lim, s;
+-    int cmp_bytes;
+-
+-    vnc_refresh_server_surface(vd);
+-    QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
+-        if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
+-            vs->force_update = 1;
+-            vnc_update_client(vs, 1, true);
+-            /* vs might be free()ed here */
+-        }
+-    }
+-
+-    /* do bitblit op on the local surface too */
+-    pitch = vnc_server_fb_stride(vd);
+-    src_row = vnc_server_fb_ptr(vd, src_x, src_y);
+-    dst_row = vnc_server_fb_ptr(vd, dst_x, dst_y);
+-    y = dst_y;
+-    inc = 1;
+-    if (dst_y > src_y) {
+-        /* copy backwards */
+-        src_row += pitch * (h-1);
+-        dst_row += pitch * (h-1);
+-        pitch = -pitch;
+-        y = dst_y + h - 1;
+-        inc = -1;
+-    }
+-    w_lim = w - (VNC_DIRTY_PIXELS_PER_BIT - (dst_x % VNC_DIRTY_PIXELS_PER_BIT));
+-    if (w_lim < 0) {
+-        w_lim = w;
+-    } else {
+-        w_lim = w - (w_lim % VNC_DIRTY_PIXELS_PER_BIT);
+-    }
+-    for (i = 0; i < h; i++) {
+-        for (x = 0; x <= w_lim;
+-                x += s, src_row += cmp_bytes, dst_row += cmp_bytes) {
+-            if (x == w_lim) {
+-                if ((s = w - w_lim) == 0)
+-                    break;
+-            } else if (!x) {
+-                s = (VNC_DIRTY_PIXELS_PER_BIT -
+-                    (dst_x % VNC_DIRTY_PIXELS_PER_BIT));
+-                s = MIN(s, w_lim);
+-            } else {
+-                s = VNC_DIRTY_PIXELS_PER_BIT;
+-            }
+-            cmp_bytes = s * VNC_SERVER_FB_BYTES;
+-            if (memcmp(src_row, dst_row, cmp_bytes) == 0)
+-                continue;
+-            memmove(dst_row, src_row, cmp_bytes);
+-            QTAILQ_FOREACH(vs, &vd->clients, next) {
+-                if (!vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
+-                    set_bit(((x + dst_x) / VNC_DIRTY_PIXELS_PER_BIT),
+-                            vs->dirty[y]);
+-                }
+-            }
+-        }
+-        src_row += pitch - w * VNC_SERVER_FB_BYTES;
+-        dst_row += pitch - w * VNC_SERVER_FB_BYTES;
+-        y += inc;
+-    }
+-
+-    QTAILQ_FOREACH(vs, &vd->clients, next) {
+-        if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
+-            vnc_copy(vs, src_x, src_y, dst_x, dst_y, w, h);
+-        }
+-    }
+-}
+-
+ static void vnc_mouse_set(DisplayChangeListener *dcl,
+                           int x, int y, int visible)
+ {
+@@ -3131,7 +3041,6 @@ static void vnc_listen_websocket_read(void *opaque)
+ static const DisplayChangeListenerOps dcl_ops = {
+     .dpy_name             = "vnc",
+     .dpy_refresh          = vnc_refresh,
+-    .dpy_gfx_copy         = vnc_dpy_copy,
+     .dpy_gfx_update       = vnc_dpy_update,
+     .dpy_gfx_switch       = vnc_dpy_switch,
+     .dpy_gfx_check_format = qemu_pixman_check_format,
+-- 
+2.1.4
+