Merge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into staging

[qemu.git] / ui / vnc.c
diff --git a/ui/vnc.c b/ui/vnc.c

index 47b49c73183308782fa472bcb5732a9581f35744..1871422e1d4830af3be8d5b74bcccdc076110793 100644 (file)
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -28,18 +28,18 @@
  #include "vnc.h"
  #include "vnc-jobs.h"
  #include "trace.h"
-#include "hw/qdev.h"
  #include "sysemu/sysemu.h"
  #include "qemu/error-report.h"
+#include "qemu/option.h"
  #include "qemu/sockets.h"
  #include "qemu/timer.h"
-#include "qemu/acl.h"
+#include "authz/list.h"
  #include "qemu/config-file.h"
-#include "qapi/qmp/qerror.h"
-#include "qapi/qmp/types.h"
-#include "qmp-commands.h"
+#include "qapi/qapi-emit-events.h"
+#include "qapi/qapi-events-ui.h"
+#include "qapi/error.h"
+#include "qapi/qapi-commands-ui.h"
  #include "ui/input.h"
-#include "qapi-event.h"
  #include "crypto/hash.h"
  #include "crypto/tlscredsanon.h"
  #include "crypto/tlscredsx509.h"
@@ -60,7 +60,7 @@ static QTAILQ_HEAD(, VncDisplay) vnc_displays =
      QTAILQ_HEAD_INITIALIZER(vnc_displays);
  
  static int vnc_cursor_define(VncState *vs);
-static void vnc_release_modifiers(VncState *vs);
+static void vnc_update_throttle_offset(VncState *vs);
  
  static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
  {
@@ -132,7 +132,7 @@ static void vnc_init_basic_info(SocketAddress *addr,
      case SOCKET_ADDRESS_TYPE_VSOCK:
      case SOCKET_ADDRESS_TYPE_FD:
          error_setg(errp, "Unsupported socket address type %s",
-                   SocketAddressType_lookup[addr->type]);
+                   SocketAddressType_str(addr->type));
          break;
      default:
          abort();
@@ -228,12 +228,12 @@ static VncServerInfo *vnc_server_info_get(VncDisplay *vd)
      VncServerInfo *info;
      Error *err = NULL;
  
-    if (!vd->nlsock) {
+    if (!vd->listener || !vd->listener->nsioc) {
          return NULL;
      }
  
      info = g_malloc0(sizeof(*info));
-    vnc_init_basic_info_from_server_addr(vd->lsock[0],
+    vnc_init_basic_info_from_server_addr(vd->listener->sioc[0],
                                           qapi_VncServerInfo_base(info), &err);
      info->has_auth = true;
      info->auth = g_strdup(vnc_auth_name(vd));
@@ -296,14 +296,13 @@ static void vnc_qmp_event(VncState *vs, QAPIEvent event)
  
      switch (event) {
      case QAPI_EVENT_VNC_CONNECTED:
-        qapi_event_send_vnc_connected(si, qapi_VncClientInfo_base(vs->info),
-                                      &error_abort);
+        qapi_event_send_vnc_connected(si, qapi_VncClientInfo_base(vs->info));
          break;
      case QAPI_EVENT_VNC_INITIALIZED:
-        qapi_event_send_vnc_initialized(si, vs->info, &error_abort);
+        qapi_event_send_vnc_initialized(si, vs->info);
          break;
      case QAPI_EVENT_VNC_DISCONNECTED:
-        qapi_event_send_vnc_disconnected(si, vs->info, &error_abort);
+        qapi_event_send_vnc_disconnected(si, vs->info);
          break;
      default:
          break;
@@ -379,7 +378,7 @@ VncInfo *qmp_query_vnc(Error **errp)
      VncDisplay *vd = vnc_display_find(NULL);
      SocketAddress *addr = NULL;
  
-    if (vd == NULL || !vd->nlsock) {
+    if (vd == NULL || !vd->listener || !vd->listener->nsioc) {
          info->enabled = false;
      } else {
          info->enabled = true;
@@ -388,11 +387,8 @@ VncInfo *qmp_query_vnc(Error **errp)
          info->has_clients = true;
          info->clients = qmp_query_client_list(vd);
  
-        if (vd->lsock == NULL) {
-            return info;
-        }
-
-        addr = qio_channel_socket_get_local_address(vd->lsock[0], errp);
+        addr = qio_channel_socket_get_local_address(vd->listener->sioc[0],
+                                                    errp);
          if (!addr) {
              goto out_error;
          }
@@ -417,7 +413,7 @@ VncInfo *qmp_query_vnc(Error **errp)
          case SOCKET_ADDRESS_TYPE_VSOCK:
          case SOCKET_ADDRESS_TYPE_FD:
              error_setg(errp, "Unsupported socket address type %s",
-                       SocketAddressType_lookup[addr->type]);
+                       SocketAddressType_str(addr->type));
              goto out_error;
          default:
              abort();
@@ -572,13 +568,14 @@ VncInfo2List *qmp_query_vnc_servers(Error **errp)
              info->has_display = true;
              info->display = g_strdup(dev->id);
          }
-        for (i = 0; i < vd->nlsock; i++) {
+        for (i = 0; vd->listener != NULL && i < vd->listener->nsioc; i++) {
              info->server = qmp_query_server_entry(
-                vd->lsock[i], false, vd->auth, vd->subauth, info->server);
+                vd->listener->sioc[i], false, vd->auth, vd->subauth,
+                info->server);
          }
-        for (i = 0; i < vd->nlwebsock; i++) {
+        for (i = 0; vd->wslistener != NULL && i < vd->wslistener->nsioc; i++) {
              info->server = qmp_query_server_entry(
-                vd->lwebsock[i], true, vd->ws_auth,
+                vd->wslistener->sioc[i], true, vd->ws_auth,
                  vd->ws_subauth, info->server);
          }
  
@@ -597,7 +594,7 @@ VncInfo2List *qmp_query_vnc_servers(Error **errp)
     3) resolutions > 1024
  */
  
-static int vnc_update_client(VncState *vs, int has_dirty, bool sync);
+static int vnc_update_client(VncState *vs, int has_dirty);
  static void vnc_disconnect_start(VncState *vs);
  
  static void vnc_colordepth(VncState *vs);
@@ -672,6 +669,11 @@ static void vnc_desktop_resize(VncState *vs)
          vs->client_height == pixman_image_get_height(vs->vd->server)) {
          return;
      }
+
+    assert(pixman_image_get_width(vs->vd->server) < 65536 &&
+           pixman_image_get_width(vs->vd->server) >= 0);
+    assert(pixman_image_get_height(vs->vd->server) < 65536 &&
+           pixman_image_get_height(vs->vd->server) >= 0);
      vs->client_width = pixman_image_get_width(vs->vd->server);
      vs->client_height = pixman_image_get_height(vs->vd->server);
      vnc_lock_output(vs);
@@ -698,6 +700,12 @@ static void vnc_abort_display_jobs(VncDisplay *vd)
      }
      QTAILQ_FOREACH(vs, &vd->clients, next) {
          vnc_lock_output(vs);
+        if (vs->update == VNC_STATE_UPDATE_NONE &&
+            vs->job_update != VNC_STATE_UPDATE_NONE) {
+            /* job aborted before completion */
+            vs->update = vs->job_update;
+            vs->job_update = VNC_STATE_UPDATE_NONE;
+        }
          vs->abort = false;
          vnc_unlock_output(vs);
      }
@@ -740,23 +748,52 @@ static void vnc_update_server_surface(VncDisplay *vd)
                         width, height);
  }
  
+static bool vnc_check_pageflip(DisplaySurface *s1,
+                               DisplaySurface *s2)
+{
+    return (s1 != NULL &&
+            s2 != NULL &&
+            surface_width(s1) == surface_width(s2) &&
+            surface_height(s1) == surface_height(s2) &&
+            surface_format(s1) == surface_format(s2));
+
+}
+
  static void vnc_dpy_switch(DisplayChangeListener *dcl,
                             DisplaySurface *surface)
  {
+    static const char placeholder_msg[] =
+        "Display output is not active.";
+    static DisplaySurface *placeholder;
      VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
+    bool pageflip = vnc_check_pageflip(vd->ds, surface);
      VncState *vs;
  
+    if (surface == NULL) {
+        if (placeholder == NULL) {
+            placeholder = qemu_create_message_surface(640, 480, placeholder_msg);
+        }
+        surface = placeholder;
+    }
+
      vnc_abort_display_jobs(vd);
      vd->ds = surface;
  
-    /* server surface */
-    vnc_update_server_surface(vd);
-
      /* guest surface */
      qemu_pixman_image_unref(vd->guest.fb);
      vd->guest.fb = pixman_image_ref(surface->image);
      vd->guest.format = surface->format;
  
+    if (pageflip) {
+        vnc_set_area_dirty(vd->guest.dirty, vd, 0, 0,
+                           surface_width(surface),
+                           surface_height(surface));
+        return;
+    }
+
+    /* server surface */
+    vnc_update_server_surface(vd);
+
      QTAILQ_FOREACH(vs, &vd->clients, next) {
          vnc_colordepth(vs);
          vnc_desktop_resize(vs);
@@ -767,6 +804,7 @@ static void vnc_dpy_switch(DisplayChangeListener *dcl,
          vnc_set_area_dirty(vs->dirty, vd, 0, 0,
                             vnc_width(vd),
                             vnc_height(vd));
+        vnc_update_throttle_offset(vs);
      }
  }
  
@@ -962,85 +1000,161 @@ static int find_and_clear_dirty_height(VncState *vs,
      return h;
  }
  
-static int vnc_update_client(VncState *vs, int has_dirty, bool sync)
+/*
+ * Figure out how much pending data we should allow in the output
+ * buffer before we throttle incremental display updates, and/or
+ * drop audio samples.
+ *
+ * We allow for equiv of 1 full display's worth of FB updates,
+ * and 1 second of audio samples. If audio backlog was larger
+ * than that the client would already suffering awful audio
+ * glitches, so dropping samples is no worse really).
+ */
+static void vnc_update_throttle_offset(VncState *vs)
  {
-    if (vs->disconnecting) {
-        vnc_disconnect_finish(vs);
-        return 0;
+    size_t offset =
+        vs->client_width * vs->client_height * vs->client_pf.bytes_per_pixel;
+
+    if (vs->audio_cap) {
+        int bps;
+        switch (vs->as.fmt) {
+        default:
+        case  AUDIO_FORMAT_U8:
+        case  AUDIO_FORMAT_S8:
+            bps = 1;
+            break;
+        case  AUDIO_FORMAT_U16:
+        case  AUDIO_FORMAT_S16:
+            bps = 2;
+            break;
+        case  AUDIO_FORMAT_U32:
+        case  AUDIO_FORMAT_S32:
+            bps = 4;
+            break;
+        }
+        offset += vs->as.freq * bps * vs->as.nchannels;
      }
  
-    vs->has_dirty += has_dirty;
-    if (vs->need_update && !vs->disconnecting) {
-        VncDisplay *vd = vs->vd;
-        VncJob *job;
-        int y;
-        int height, width;
-        int n = 0;
-
-        if (vs->output.offset && !vs->audio_cap && !vs->force_update)
-            /* kernel send buffers are full -> drop frames to throttle */
-            return 0;
+    /* Put a floor of 1MB on offset, so that if we have a large pending
+     * buffer and the display is resized to a small size & back again
+     * we don't suddenly apply a tiny send limit
+     */
+    offset = MAX(offset, 1024 * 1024);
  
-        if (!vs->has_dirty && !vs->audio_cap && !vs->force_update)
-            return 0;
+    if (vs->throttle_output_offset != offset) {
+        trace_vnc_client_throttle_threshold(
+            vs, vs->ioc, vs->throttle_output_offset, offset, vs->client_width,
+            vs->client_height, vs->client_pf.bytes_per_pixel, vs->audio_cap);
+    }
  
-        /*
-         * Send screen updates to the vnc client using the server
-         * surface and server dirty map.  guest surface updates
-         * happening in parallel don't disturb us, the next pass will
-         * send them to the client.
+    vs->throttle_output_offset = offset;
+}
+
+static bool vnc_should_update(VncState *vs)
+{
+    switch (vs->update) {
+    case VNC_STATE_UPDATE_NONE:
+        break;
+    case VNC_STATE_UPDATE_INCREMENTAL:
+        /* Only allow incremental updates if the pending send queue
+         * is less than the permitted threshold, and the job worker
+         * is completely idle.
           */
-        job = vnc_job_new(vs);
-
-        height = pixman_image_get_height(vd->server);
-        width = pixman_image_get_width(vd->server);
-
-        y = 0;
-        for (;;) {
-            int x, h;
-            unsigned long x2;
-            unsigned long offset = find_next_bit((unsigned long *) &vs->dirty,
-                                                 height * VNC_DIRTY_BPL(vs),
-                                                 y * VNC_DIRTY_BPL(vs));
-            if (offset == height * VNC_DIRTY_BPL(vs)) {
-                /* no more dirty bits */
-                break;
-            }
-            y = offset / VNC_DIRTY_BPL(vs);
-            x = offset % VNC_DIRTY_BPL(vs);
-            x2 = find_next_zero_bit((unsigned long *) &vs->dirty[y],
-                                    VNC_DIRTY_BPL(vs), x);
-            bitmap_clear(vs->dirty[y], x, x2 - x);
-            h = find_and_clear_dirty_height(vs, y, x, x2, height);
-            x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT);
-            if (x2 > x) {
-                n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
-                                      (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
-            }
-            if (!x && x2 == width / VNC_DIRTY_PIXELS_PER_BIT) {
-                y += h;
-                if (y == height) {
-                    break;
-                }
-            }
+        if (vs->output.offset < vs->throttle_output_offset &&
+            vs->job_update == VNC_STATE_UPDATE_NONE) {
+            return true;
          }
-
-        vnc_job_push(job);
-        if (sync) {
-            vnc_jobs_join(vs);
+        trace_vnc_client_throttle_incremental(
+            vs, vs->ioc, vs->job_update, vs->output.offset);
+        break;
+    case VNC_STATE_UPDATE_FORCE:
+        /* Only allow forced updates if the pending send queue
+         * does not contain a previous forced update, and the
+         * job worker is completely idle.
+         *
+         * Note this means we'll queue a forced update, even if
+         * the output buffer size is otherwise over the throttle
+         * output limit.
+         */
+        if (vs->force_update_offset == 0 &&
+            vs->job_update == VNC_STATE_UPDATE_NONE) {
+            return true;
          }
-        vs->force_update = 0;
-        vs->has_dirty = 0;
-        return n;
+        trace_vnc_client_throttle_forced(
+            vs, vs->ioc, vs->job_update, vs->force_update_offset);
+        break;
      }
+    return false;
+}
+
+static int vnc_update_client(VncState *vs, int has_dirty)
+{
+    VncDisplay *vd = vs->vd;
+    VncJob *job;
+    int y;
+    int height, width;
+    int n = 0;
  
      if (vs->disconnecting) {
          vnc_disconnect_finish(vs);
-    } else if (sync) {
-        vnc_jobs_join(vs);
+        return 0;
      }
  
-    return 0;
+    vs->has_dirty += has_dirty;
+    if (!vnc_should_update(vs)) {
+        return 0;
+    }
+
+    if (!vs->has_dirty && vs->update != VNC_STATE_UPDATE_FORCE) {
+        return 0;
+    }
+
+    /*
+     * Send screen updates to the vnc client using the server
+     * surface and server dirty map.  guest surface updates
+     * happening in parallel don't disturb us, the next pass will
+     * send them to the client.
+     */
+    job = vnc_job_new(vs);
+
+    height = pixman_image_get_height(vd->server);
+    width = pixman_image_get_width(vd->server);
+
+    y = 0;
+    for (;;) {
+        int x, h;
+        unsigned long x2;
+        unsigned long offset = find_next_bit((unsigned long *) &vs->dirty,
+                                             height * VNC_DIRTY_BPL(vs),
+                                             y * VNC_DIRTY_BPL(vs));
+        if (offset == height * VNC_DIRTY_BPL(vs)) {
+            /* no more dirty bits */
+            break;
+        }
+        y = offset / VNC_DIRTY_BPL(vs);
+        x = offset % VNC_DIRTY_BPL(vs);
+        x2 = find_next_zero_bit((unsigned long *) &vs->dirty[y],
+                                VNC_DIRTY_BPL(vs), x);
+        bitmap_clear(vs->dirty[y], x, x2 - x);
+        h = find_and_clear_dirty_height(vs, y, x, x2, height);
+        x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT);
+        if (x2 > x) {
+            n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
+                                  (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
+        }
+        if (!x && x2 == width / VNC_DIRTY_PIXELS_PER_BIT) {
+            y += h;
+            if (y == height) {
+                break;
+            }
+        }
+    }
+
+    vs->job_update = vs->update;
+    vs->update = VNC_STATE_UPDATE_NONE;
+    vnc_job_push(job);
+    vs->has_dirty = 0;
+    return n;
  }
  
  /* audio */
@@ -1048,6 +1162,7 @@ static void audio_capture_notify(void *opaque, audcnotification_e cmd)
  {
      VncState *vs = opaque;
  
+    assert(vs->magic == VNC_MAGIC);
      switch (cmd) {
      case AUD_CNOTIFY_DISABLE:
          vnc_lock_output(vs);
@@ -1077,12 +1192,17 @@ static void audio_capture(void *opaque, void *buf, int size)
  {
      VncState *vs = opaque;
  
+    assert(vs->magic == VNC_MAGIC);
      vnc_lock_output(vs);
-    vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
-    vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
-    vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);
-    vnc_write_u32(vs, size);
-    vnc_write(vs, buf, size);
+    if (vs->output.offset < vs->throttle_output_offset) {
+        vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
+        vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
+        vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);
+        vnc_write_u32(vs, size);
+        vnc_write(vs, buf, size);
+    } else {
+        trace_vnc_client_throttle_audio(vs, vs->ioc, vs->output.offset);
+    }
      vnc_unlock_output(vs);
      vnc_flush(vs);
  }
@@ -1119,9 +1239,11 @@ static void vnc_disconnect_start(VncState *vs)
      if (vs->disconnecting) {
          return;
      }
+    trace_vnc_client_disconnect_start(vs, vs->ioc);
      vnc_set_share_mode(vs, VNC_SHARE_MODE_DISCONNECTED);
      if (vs->ioc_tag) {
          g_source_remove(vs->ioc_tag);
+        vs->ioc_tag = 0;
      }
      qio_channel_close(vs->ioc, NULL);
      vs->disconnecting = TRUE;
@@ -1131,6 +1253,8 @@ void vnc_disconnect_finish(VncState *vs)
  {
      int i;
  
+    trace_vnc_client_disconnect_finish(vs, vs->ioc);
+
      vnc_jobs_join(vs); /* Wait encoding jobs */
  
      vnc_lock_output(vs);
@@ -1149,7 +1273,7 @@ void vnc_disconnect_finish(VncState *vs)
      vnc_sasl_client_cleanup(vs);
  #endif /* CONFIG_VNC_SASL */
      audio_del(vs);
-    vnc_release_modifiers(vs);
+    qkbd_state_lift_all_keys(vs->vd->kbd);
  
      if (vs->mouse_mode_notifier.notify != NULL) {
          qemu_remove_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
@@ -1177,18 +1301,20 @@ void vnc_disconnect_finish(VncState *vs)
      vs->ioc = NULL;
      object_unref(OBJECT(vs->sioc));
      vs->sioc = NULL;
+    vs->magic = 0;
      g_free(vs);
  }
  
-ssize_t vnc_client_io_error(VncState *vs, ssize_t ret, Error **errp)
+size_t vnc_client_io_error(VncState *vs, ssize_t ret, Error **errp)
  {
      if (ret <= 0) {
          if (ret == 0) {
-            VNC_DEBUG("Closing down client sock: EOF\n");
+            trace_vnc_client_eof(vs, vs->ioc);
              vnc_disconnect_start(vs);
          } else if (ret != QIO_CHANNEL_ERR_BLOCK) {
-            VNC_DEBUG("Closing down client sock: ret %zd (%s)\n",
-                      ret, errp ? error_get_pretty(*errp) : "Unknown");
+            trace_vnc_client_io_error(vs, vs->ioc,
+                                      errp ? error_get_pretty(*errp) :
+                                      "Unknown");
              vnc_disconnect_start(vs);
          }
  
@@ -1222,9 +1348,9 @@ void vnc_client_error(VncState *vs)
   *
   * Returns the number of bytes written, which may be less than
   * the requested 'datalen' if the socket would block. Returns
- * -1 on error, and disconnects the client socket.
+ * 0 on I/O error, and disconnects the client socket.
   */
-ssize_t vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
+size_t vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
  {
      Error *err = NULL;
      ssize_t ret;
@@ -1242,12 +1368,13 @@ ssize_t vnc_client_write_buf(VncState *vs, const uint8_t *data, size_t datalen)
   * will switch the FD poll() handler back to read monitoring.
   *
   * Returns the number of bytes written, which may be less than
- * the buffered output data if the socket would block. Returns
- * -1 on error, and disconnects the client socket.
+ * the buffered output data if the socket would block.  Returns
+ * 0 on I/O error, and disconnects the client socket.
   */
-static ssize_t vnc_client_write_plain(VncState *vs)
+static size_t vnc_client_write_plain(VncState *vs)
  {
-    ssize_t ret;
+    size_t offset;
+    size_t ret;
  
  #ifdef CONFIG_VNC_SASL
      VNC_DEBUG("Write Plain: Pending output %p size %zd offset %zd. Wait SSF %d\n",
@@ -1266,7 +1393,20 @@ static ssize_t vnc_client_write_plain(VncState *vs)
      if (!ret)
          return 0;
  
+    if (ret >= vs->force_update_offset) {
+        if (vs->force_update_offset != 0) {
+            trace_vnc_client_unthrottle_forced(vs, vs->ioc);
+        }
+        vs->force_update_offset = 0;
+    } else {
+        vs->force_update_offset -= ret;
+    }
+    offset = vs->output.offset;
      buffer_advance(&vs->output, ret);
+    if (offset >= vs->throttle_output_offset &&
+        vs->output.offset < vs->throttle_output_offset) {
+        trace_vnc_client_unthrottle_incremental(vs, vs->ioc, vs->output.offset);
+    }
  
      if (vs->output.offset == 0) {
          if (vs->ioc_tag) {
@@ -1301,7 +1441,7 @@ static void vnc_client_write_locked(VncState *vs)
  
  static void vnc_client_write(VncState *vs)
  {
-
+    assert(vs->magic == VNC_MAGIC);
      vnc_lock_output(vs);
      if (vs->output.offset) {
          vnc_client_write_locked(vs);
@@ -1335,9 +1475,9 @@ void vnc_read_when(VncState *vs, VncReadEvent *func, size_t expecting)
   *
   * Returns the number of bytes read, which may be less than
   * the requested 'datalen' if the socket would block. Returns
- * -1 on error, and disconnects the client socket.
+ * 0 on I/O error or EOF, and disconnects the client socket.
   */
-ssize_t vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
+size_t vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
  {
      ssize_t ret;
      Error *err = NULL;
@@ -1353,12 +1493,13 @@ ssize_t vnc_client_read_buf(VncState *vs, uint8_t *data, size_t datalen)
   * when not using any SASL SSF encryption layers. Will read as much
   * data as possible without blocking.
   *
- * Returns the number of bytes read. Returns -1 on error, and
- * disconnects the client socket.
+ * Returns the number of bytes read, which may be less than
+ * the requested 'datalen' if the socket would block. Returns
+ * 0 on I/O error or EOF, and disconnects the client socket.
   */
-static ssize_t vnc_client_read_plain(VncState *vs)
+static size_t vnc_client_read_plain(VncState *vs)
  {
-    ssize_t ret;
+    size_t ret;
      VNC_DEBUG("Read plain %p size %zd offset %zd\n",
                vs->input.buffer, vs->input.capacity, vs->input.offset);
      buffer_reserve(&vs->input, 4096);
@@ -1373,6 +1514,7 @@ static void vnc_jobs_bh(void *opaque)
  {
      VncState *vs = opaque;
  
+    assert(vs->magic == VNC_MAGIC);
      vnc_jobs_consume_buffer(vs);
  }
  
@@ -1384,7 +1526,7 @@ static void vnc_jobs_bh(void *opaque)
   */
  static int vnc_client_read(VncState *vs)
  {
-    ssize_t ret;
+    size_t ret;
  
  #ifdef CONFIG_VNC_SASL
      if (vs->sasl.conn && vs->sasl.runSSF)
@@ -1423,20 +1565,62 @@ gboolean vnc_client_io(QIOChannel *ioc G_GNUC_UNUSED,
                         GIOCondition condition, void *opaque)
  {
      VncState *vs = opaque;
+
+    assert(vs->magic == VNC_MAGIC);
      if (condition & G_IO_IN) {
          if (vnc_client_read(vs) < 0) {
+            /* vs is free()ed here */
              return TRUE;
          }
      }
      if (condition & G_IO_OUT) {
          vnc_client_write(vs);
      }
+
+    if (vs->disconnecting) {
+        if (vs->ioc_tag != 0) {
+            g_source_remove(vs->ioc_tag);
+        }
+        vs->ioc_tag = 0;
+    }
      return TRUE;
  }
  
  
+/*
+ * Scale factor to apply to vs->throttle_output_offset when checking for
+ * hard limit. Worst case normal usage could be x2, if we have a complete
+ * incremental update and complete forced update in the output buffer.
+ * So x3 should be good enough, but we pick x5 to be conservative and thus
+ * (hopefully) never trigger incorrectly.
+ */
+#define VNC_THROTTLE_OUTPUT_LIMIT_SCALE 5
+
  void vnc_write(VncState *vs, const void *data, size_t len)
  {
+    assert(vs->magic == VNC_MAGIC);
+    if (vs->disconnecting) {
+        return;
+    }
+    /* Protection against malicious client/guest to prevent our output
+     * buffer growing without bound if client stops reading data. This
+     * should rarely trigger, because we have earlier throttling code
+     * which stops issuing framebuffer updates and drops audio data
+     * if the throttle_output_offset value is exceeded. So we only reach
+     * this higher level if a huge number of pseudo-encodings get
+     * triggered while data can't be sent on the socket.
+     *
+     * NB throttle_output_offset can be zero during early protocol
+     * handshake, or from the job thread's VncState clone
+     */
+    if (vs->throttle_output_offset != 0 &&
+        (vs->output.offset / VNC_THROTTLE_OUTPUT_LIMIT_SCALE) >
+        vs->throttle_output_offset) {
+        trace_vnc_client_output_limit(vs, vs->ioc, vs->output.offset,
+                                      vs->throttle_output_offset);
+        vnc_disconnect_start(vs);
+        return;
+    }
      buffer_reserve(&vs->output, len);
  
      if (vs->ioc != NULL && buffer_empty(&vs->output)) {
@@ -1488,6 +1672,12 @@ void vnc_flush(VncState *vs)
      if (vs->ioc != NULL && vs->output.offset) {
          vnc_client_write_locked(vs);
      }
+    if (vs->disconnecting) {
+        if (vs->ioc_tag != 0) {
+            g_source_remove(vs->ioc_tag);
+        }
+        vs->ioc_tag = 0;
+    }
      vnc_unlock_output(vs);
  }
  
@@ -1572,25 +1762,10 @@ static void pointer_event(VncState *vs, int button_mask, int x, int y)
      qemu_input_event_sync();
  }
  
-static void reset_keys(VncState *vs)
+static void press_key(VncState *vs, QKeyCode qcode)
  {
-    int i;
-    for(i = 0; i < 256; i++) {
-        if (vs->modifiers_state[i]) {
-            qemu_input_event_send_key_number(vs->vd->dcl.con, i, false);
-            qemu_input_event_send_key_delay(vs->vd->key_delay_ms);
-            vs->modifiers_state[i] = 0;
-        }
-    }
-}
-
-static void press_key(VncState *vs, int keysym)
-{
-    int keycode = keysym2scancode(vs->vd->kbd_layout, keysym) & SCANCODE_KEYMASK;
-    qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, true);
-    qemu_input_event_send_key_delay(vs->vd->key_delay_ms);
-    qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, false);
-    qemu_input_event_send_key_delay(vs->vd->key_delay_ms);
+    qkbd_state_key_event(vs->vd->kbd, qcode, true);
+    qkbd_state_key_event(vs->vd->kbd, qcode, false);
  }
  
  static void vnc_led_state_change(VncState *vs)
@@ -1631,32 +1806,20 @@ static void kbd_leds(void *opaque, int ledstate)
  
  static void do_key_event(VncState *vs, int down, int keycode, int sym)
  {
+    QKeyCode qcode = qemu_input_key_number_to_qcode(keycode);
+
      /* QEMU console switch */
-    switch(keycode) {
-    case 0x2a:                          /* Left Shift */
-    case 0x36:                          /* Right Shift */
-    case 0x1d:                          /* Left CTRL */
-    case 0x9d:                          /* Right CTRL */
-    case 0x38:                          /* Left ALT */
-    case 0xb8:                          /* Right ALT */
-        if (down)
-            vs->modifiers_state[keycode] = 1;
-        else
-            vs->modifiers_state[keycode] = 0;
-        break;
-    case 0x02 ... 0x0a: /* '1' to '9' keys */
-        if (vs->vd->dcl.con == NULL &&
-            down && vs->modifiers_state[0x1d] && vs->modifiers_state[0x38]) {
+    switch (qcode) {
+    case Q_KEY_CODE_1 ... Q_KEY_CODE_9: /* '1' to '9' keys */
+        if (vs->vd->dcl.con == NULL && down &&
+            qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL) &&
+            qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_ALT)) {
              /* Reset the modifiers sent to the current console */
-            reset_keys(vs);
-            console_select(keycode - 0x02);
+            qkbd_state_lift_all_keys(vs->vd->kbd);
+            console_select(qcode - Q_KEY_CODE_1);
              return;
          }
-        break;
-    case 0x3a:                        /* CapsLock */
-    case 0x45:                        /* NumLock */
-        if (down)
-            vs->modifiers_state[keycode] ^= 1;
+    default:
          break;
      }
  
@@ -1671,16 +1834,14 @@ static void do_key_event(VncState *vs, int down, int keycode, int sym)
             toggles numlock away from the VNC window.
          */
          if (keysym_is_numlock(vs->vd->kbd_layout, sym & 0xFFFF)) {
-            if (!vs->modifiers_state[0x45]) {
+            if (!qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
                  trace_vnc_key_sync_numlock(true);
-                vs->modifiers_state[0x45] = 1;
-                press_key(vs, 0xff7f);
+                press_key(vs, Q_KEY_CODE_NUM_LOCK);
              }
          } else {
-            if (vs->modifiers_state[0x45]) {
+            if (qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK)) {
                  trace_vnc_key_sync_numlock(false);
-                vs->modifiers_state[0x45] = 0;
-                press_key(vs, 0xff7f);
+                press_key(vs, Q_KEY_CODE_NUM_LOCK);
              }
          }
      }
@@ -1693,30 +1854,25 @@ static void do_key_event(VncState *vs, int down, int keycode, int sym)
             toggles capslock away from the VNC window.
          */
          int uppercase = !!(sym >= 'A' && sym <= 'Z');
-        int shift = !!(vs->modifiers_state[0x2a] | vs->modifiers_state[0x36]);
-        int capslock = !!(vs->modifiers_state[0x3a]);
+        bool shift = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_SHIFT);
+        bool capslock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CAPSLOCK);
          if (capslock) {
              if (uppercase == shift) {
                  trace_vnc_key_sync_capslock(false);
-                vs->modifiers_state[0x3a] = 0;
-                press_key(vs, 0xffe5);
+                press_key(vs, Q_KEY_CODE_CAPS_LOCK);
              }
          } else {
              if (uppercase != shift) {
                  trace_vnc_key_sync_capslock(true);
-                vs->modifiers_state[0x3a] = 1;
-                press_key(vs, 0xffe5);
+                press_key(vs, Q_KEY_CODE_CAPS_LOCK);
              }
          }
      }
  
-    if (qemu_console_is_graphic(NULL)) {
-        qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, down);
-        qemu_input_event_send_key_delay(vs->vd->key_delay_ms);
-    } else {
-        bool numlock = vs->modifiers_state[0x45];
-        bool control = (vs->modifiers_state[0x1d] ||
-                        vs->modifiers_state[0x9d]);
+    qkbd_state_key_event(vs->vd->kbd, qcode, down);
+    if (!qemu_console_is_graphic(NULL)) {
+        bool numlock = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_NUMLOCK);
+        bool control = qkbd_state_modifier_get(vs->vd->kbd, QKBD_MOD_CTRL);
          /* QEMU console emulation */
          if (down) {
              switch (keycode) {
@@ -1817,30 +1973,9 @@ static void do_key_event(VncState *vs, int down, int keycode, int sym)
      }
  }
  
-static void vnc_release_modifiers(VncState *vs)
-{
-    static const int keycodes[] = {
-        /* shift, control, alt keys, both left & right */
-        0x2a, 0x36, 0x1d, 0x9d, 0x38, 0xb8,
-    };
-    int i, keycode;
-
-    if (!qemu_console_is_graphic(NULL)) {
-        return;
-    }
-    for (i = 0; i < ARRAY_SIZE(keycodes); i++) {
-        keycode = keycodes[i];
-        if (!vs->modifiers_state[keycode]) {
-            continue;
-        }
-        qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, false);
-        qemu_input_event_send_key_delay(vs->vd->key_delay_ms);
-    }
-}
-
  static const char *code2name(int keycode)
  {
-    return QKeyCode_lookup[qemu_input_key_number_to_qcode(keycode)];
+    return QKeyCode_str(qemu_input_key_number_to_qcode(keycode));
  }
  
  static void key_event(VncState *vs, int down, uint32_t sym)
@@ -1852,7 +1987,8 @@ static void key_event(VncState *vs, int down, uint32_t sym)
          lsym = lsym - 'A' + 'a';
      }
  
-    keycode = keysym2scancode(vs->vd->kbd_layout, lsym & 0xFFFF) & SCANCODE_KEYMASK;
+    keycode = keysym2scancode(vs->vd->kbd_layout, lsym & 0xFFFF,
+                              vs->vd->kbd, down) & SCANCODE_KEYMASK;
      trace_vnc_key_event_map(down, sym, keycode, code2name(keycode));
      do_key_event(vs, down, keycode, sym);
  }
@@ -1872,14 +2008,14 @@ static void ext_key_event(VncState *vs, int down,
  static void framebuffer_update_request(VncState *vs, int incremental,
                                         int x, int y, int w, int h)
  {
-    vs->need_update = 1;
-
      if (incremental) {
-        return;
+        if (vs->update != VNC_STATE_UPDATE_FORCE) {
+            vs->update = VNC_STATE_UPDATE_INCREMENTAL;
+        }
+    } else {
+        vs->update = VNC_STATE_UPDATE_FORCE;
+        vnc_set_area_dirty(vs->dirty, vs->vd, x, y, w, h);
      }
-
-    vs->force_update = 1;
-    vnc_set_area_dirty(vs->dirty, vs->vd, x, y, w, h);
  }
  
  static void send_ext_key_event_ack(VncState *vs)
@@ -2137,6 +2273,7 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
  {
      int i;
      uint16_t limit;
+    uint32_t freq;
      VncDisplay *vd = vs->vd;
  
      if (data[0] > 3) {
@@ -2238,12 +2375,12 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
                  if (len == 4)
                      return 10;
                  switch (read_u8(data, 4)) {
-                case 0: vs->as.fmt = AUD_FMT_U8; break;
-                case 1: vs->as.fmt = AUD_FMT_S8; break;
-                case 2: vs->as.fmt = AUD_FMT_U16; break;
-                case 3: vs->as.fmt = AUD_FMT_S16; break;
-                case 4: vs->as.fmt = AUD_FMT_U32; break;
-                case 5: vs->as.fmt = AUD_FMT_S32; break;
+                case 0: vs->as.fmt = AUDIO_FORMAT_U8; break;
+                case 1: vs->as.fmt = AUDIO_FORMAT_S8; break;
+                case 2: vs->as.fmt = AUDIO_FORMAT_U16; break;
+                case 3: vs->as.fmt = AUDIO_FORMAT_S16; break;
+                case 4: vs->as.fmt = AUDIO_FORMAT_U32; break;
+                case 5: vs->as.fmt = AUDIO_FORMAT_S32; break;
                  default:
                      VNC_DEBUG("Invalid audio format %d\n", read_u8(data, 4));
                      vnc_client_error(vs);
@@ -2251,12 +2388,22 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
                  }
                  vs->as.nchannels = read_u8(data, 5);
                  if (vs->as.nchannels != 1 && vs->as.nchannels != 2) {
-                    VNC_DEBUG("Invalid audio channel coount %d\n",
+                    VNC_DEBUG("Invalid audio channel count %d\n",
                                read_u8(data, 5));
                      vnc_client_error(vs);
                      break;
                  }
-                vs->as.freq = read_u32(data, 6);
+                freq = read_u32(data, 6);
+                /* No official limit for protocol, but 48khz is a sensible
+                 * upper bound for trustworthy clients, and this limit
+                 * protects calculations involving 'vs->as.freq' later.
+                 */
+                if (freq > 48000) {
+                    VNC_DEBUG("Invalid audio frequency %u > 48000", freq);
+                    vnc_client_error(vs);
+                    break;
+                }
+                vs->as.freq = freq;
                  break;
              default:
                  VNC_DEBUG("Invalid audio message %d\n", read_u8(data, 4));
@@ -2277,6 +2424,7 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
          break;
      }
  
+    vnc_update_throttle_offset(vs);
      vnc_read_when(vs, protocol_client_msg, 1);
      return 0;
  }
@@ -2350,6 +2498,10 @@ static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
          return 0;
      }
  
+    assert(pixman_image_get_width(vs->vd->server) < 65536 &&
+           pixman_image_get_width(vs->vd->server) >= 0);
+    assert(pixman_image_get_height(vs->vd->server) < 65536 &&
+           pixman_image_get_height(vs->vd->server) >= 0);
      vs->client_width = pixman_image_get_width(vs->vd->server);
      vs->client_height = pixman_image_get_height(vs->vd->server);
      vnc_write_u16(vs, vs->client_width);
@@ -2403,11 +2555,11 @@ static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
      Error *err = NULL;
  
      if (!vs->vd->password) {
-        VNC_DEBUG("No password configured on server");
+        trace_vnc_auth_fail(vs, vs->auth, "password is not set", "");
          goto reject;
      }
      if (vs->vd->expires < now) {
-        VNC_DEBUG("Password is expired");
+        trace_vnc_auth_fail(vs, vs->auth, "password is expired", "");
          goto reject;
      }
  
@@ -2424,8 +2576,8 @@ static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
          key, G_N_ELEMENTS(key),
          &err);
      if (!cipher) {
-        VNC_DEBUG("Cannot initialize cipher %s",
-                  error_get_pretty(err));
+        trace_vnc_auth_fail(vs, vs->auth, "cannot create cipher",
+                            error_get_pretty(err));
          error_free(err);
          goto reject;
      }
@@ -2435,18 +2587,18 @@ static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
                                 response,
                                 VNC_AUTH_CHALLENGE_SIZE,
                                 &err) < 0) {
-        VNC_DEBUG("Cannot encrypt challenge %s",
-                  error_get_pretty(err));
+        trace_vnc_auth_fail(vs, vs->auth, "cannot encrypt challenge response",
+                            error_get_pretty(err));
          error_free(err);
          goto reject;
      }
  
      /* Compare expected vs actual challenge response */
      if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
-        VNC_DEBUG("Client challenge response did not match\n");
+        trace_vnc_auth_fail(vs, vs->auth, "mis-matched challenge response", "");
          goto reject;
      } else {
-        VNC_DEBUG("Accepting VNC challenge response\n");
+        trace_vnc_auth_pass(vs, vs->auth);
          vnc_write_u32(vs, 0); /* Accept auth */
          vnc_flush(vs);
  
@@ -2485,7 +2637,7 @@ static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
      /* We only advertise 1 auth scheme at a time, so client
       * must pick the one we sent. Verify this */
      if (data[0] != vs->auth) { /* Reject auth */
-       VNC_DEBUG("Reject auth %d because it didn't match advertized\n", (int)data[0]);
+       trace_vnc_auth_reject(vs, vs->auth, (int)data[0]);
         vnc_write_u32(vs, 1);
         if (vs->minor >= 8) {
             static const char err[] = "Authentication failed";
@@ -2494,36 +2646,33 @@ static int protocol_client_auth(VncState *vs, uint8_t *data, size_t len)
         }
         vnc_client_error(vs);
      } else { /* Accept requested auth */
-       VNC_DEBUG("Client requested auth %d\n", (int)data[0]);
+       trace_vnc_auth_start(vs, vs->auth);
         switch (vs->auth) {
         case VNC_AUTH_NONE:
-           VNC_DEBUG("Accept auth none\n");
             if (vs->minor >= 8) {
                 vnc_write_u32(vs, 0); /* Accept auth completion */
                 vnc_flush(vs);
             }
+           trace_vnc_auth_pass(vs, vs->auth);
             start_client_init(vs);
             break;
  
         case VNC_AUTH_VNC:
-           VNC_DEBUG("Start VNC auth\n");
             start_auth_vnc(vs);
             break;
  
         case VNC_AUTH_VENCRYPT:
-           VNC_DEBUG("Accept VeNCrypt auth\n");
             start_auth_vencrypt(vs);
             break;
  
  #ifdef CONFIG_VNC_SASL
         case VNC_AUTH_SASL:
-           VNC_DEBUG("Accept SASL auth\n");
             start_auth_sasl(vs);
             break;
  #endif /* CONFIG_VNC_SASL */
  
         default: /* Should not be possible, but just in case */
-           VNC_DEBUG("Reject auth %d server code bug\n", vs->auth);
+           trace_vnc_auth_fail(vs, vs->auth, "Unhandled auth method", "");
             vnc_write_u8(vs, 1);
             if (vs->minor >= 8) {
                 static const char err[] = "Authentication failed";
@@ -2568,10 +2717,11 @@ static int protocol_version(VncState *vs, uint8_t *version, size_t len)
          vs->minor = 3;
  
      if (vs->minor == 3) {
+        trace_vnc_auth_start(vs, vs->auth);
          if (vs->auth == VNC_AUTH_NONE) {
-            VNC_DEBUG("Tell client auth none\n");
              vnc_write_u32(vs, vs->auth);
              vnc_flush(vs);
+            trace_vnc_auth_pass(vs, vs->auth);
              start_client_init(vs);
         } else if (vs->auth == VNC_AUTH_VNC) {
              VNC_DEBUG("Tell client VNC auth\n");
@@ -2579,13 +2729,13 @@ static int protocol_version(VncState *vs, uint8_t *version, size_t len)
              vnc_flush(vs);
              start_auth_vnc(vs);
         } else {
-            VNC_DEBUG("Unsupported auth %d for protocol 3.3\n", vs->auth);
+            trace_vnc_auth_fail(vs, vs->auth,
+                                "Unsupported auth method for v3.3", "");
              vnc_write_u32(vs, VNC_AUTH_INVALID);
              vnc_flush(vs);
              vnc_client_error(vs);
         }
      } else {
-        VNC_DEBUG("Telling client we support auth %d\n", vs->auth);
          vnc_write_u8(vs, 1); /* num auth */
          vnc_write_u8(vs, vs->auth);
          vnc_read_when(vs, protocol_client_auth, 1);
@@ -2625,8 +2775,8 @@ static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
      int stx = x / VNC_STAT_RECT;
      int has_dirty = 0;
  
-    y = y / VNC_STAT_RECT * VNC_STAT_RECT;
-    x = x / VNC_STAT_RECT * VNC_STAT_RECT;
+    y = QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
+    x = QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
  
      QTAILQ_FOREACH(vs, &vd->clients, next) {
          int j;
@@ -2715,8 +2865,8 @@ double vnc_update_freq(VncState *vs, int x, int y, int w, int h)
      double total = 0;
      int num = 0;
  
-    x =  (x / VNC_STAT_RECT) * VNC_STAT_RECT;
-    y =  (y / VNC_STAT_RECT) * VNC_STAT_RECT;
+    x =  QEMU_ALIGN_DOWN(x, VNC_STAT_RECT);
+    y =  QEMU_ALIGN_DOWN(y, VNC_STAT_RECT);
  
      for (j = y; j <= y + h; j += VNC_STAT_RECT) {
          for (i = x; i <= x + w; i += VNC_STAT_RECT) {
@@ -2782,7 +2932,8 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
              PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
          guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
          guest_stride = pixman_image_get_stride(vd->guest.fb);
-        guest_ll = pixman_image_get_width(vd->guest.fb) * ((guest_bpp + 7) / 8);
+        guest_ll = pixman_image_get_width(vd->guest.fb)
+                   * DIV_ROUND_UP(guest_bpp, 8);
      }
      line_bytes = MIN(server_stride, guest_ll);
  
@@ -2861,7 +3012,7 @@ static void vnc_refresh(DisplayChangeListener *dcl)
      vnc_unlock_display(vd);
  
      QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
-        rects += vnc_update_client(vs, has_dirty, false);
+        rects += vnc_update_client(vs, has_dirty);
          /* vs might be free()ed here */
      }
  
@@ -2885,6 +3036,8 @@ static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc,
      bool first_client = QTAILQ_EMPTY(&vd->clients);
      int i;
  
+    trace_vnc_client_connect(vs, sioc);
+    vs->magic = VNC_MAGIC;
      vs->sioc = sioc;
      object_ref(OBJECT(vs->sioc));
      vs->ioc = QIO_CHANNEL(sioc);
@@ -2910,8 +3063,8 @@ static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc,
      buffer_init(&vs->zrle.zlib,      "vnc-zrle-zlib/%p", sioc);
  
      if (skipauth) {
-       vs->auth = VNC_AUTH_NONE;
-       vs->subauth = VNC_AUTH_INVALID;
+        vs->auth = VNC_AUTH_NONE;
+        vs->subauth = VNC_AUTH_INVALID;
      } else {
          if (websocket) {
              vs->auth = vd->ws_auth;
@@ -2932,6 +3085,9 @@ static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc,
      VNC_DEBUG("New client on socket %p\n", vs->sioc);
      update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_BASE);
      qio_channel_set_blocking(vs->ioc, false, NULL);
+    if (vs->ioc_tag) {
+        g_source_remove(vs->ioc_tag);
+    }
      if (websocket) {
          vs->websocket = 1;
          if (vd->tlscreds) {
@@ -2955,7 +3111,7 @@ static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc,
  
      vs->as.freq = 44100;
      vs->as.nchannels = 2;
-    vs->as.fmt = AUD_FMT_S16;
+    vs->as.fmt = AUDIO_FORMAT_S16;
      vs->as.endianness = 0;
  
      qemu_mutex_init(&vs->output_mutex);
@@ -2992,36 +3148,17 @@ void vnc_start_protocol(VncState *vs)
      qemu_add_mouse_mode_change_notifier(&vs->mouse_mode_notifier);
  }
  
-static gboolean vnc_listen_io(QIOChannel *ioc,
-                              GIOCondition condition,
-                              void *opaque)
+static void vnc_listen_io(QIONetListener *listener,
+                          QIOChannelSocket *cioc,
+                          void *opaque)
  {
      VncDisplay *vd = opaque;
-    QIOChannelSocket *sioc = NULL;
-    Error *err = NULL;
-    bool isWebsock = false;
-    size_t i;
-
-    for (i = 0; i < vd->nlwebsock; i++) {
-        if (ioc == QIO_CHANNEL(vd->lwebsock[i])) {
-            isWebsock = true;
-            break;
-        }
-    }
+    bool isWebsock = listener == vd->wslistener;
  
-    sioc = qio_channel_socket_accept(QIO_CHANNEL_SOCKET(ioc), &err);
-    if (sioc != NULL) {
-        qio_channel_set_name(QIO_CHANNEL(sioc),
-                             isWebsock ? "vnc-ws-server" : "vnc-server");
-        qio_channel_set_delay(QIO_CHANNEL(sioc), false);
-        vnc_connect(vd, sioc, false, isWebsock);
-        object_unref(OBJECT(sioc));
-    } else {
-        /* client probably closed connection before we got there */
-        error_free(err);
-    }
-
-    return TRUE;
+    qio_channel_set_name(QIO_CHANNEL(cioc),
+                         isWebsock ? "vnc-ws-server" : "vnc-server");
+    qio_channel_set_delay(QIO_CHANNEL(cioc), false);
+    vnc_connect(vd, cioc, false, isWebsock);
  }
  
  static const DisplayChangeListenerOps dcl_ops = {
@@ -3034,7 +3171,7 @@ static const DisplayChangeListenerOps dcl_ops = {
      .dpy_cursor_define    = vnc_dpy_cursor_define,
  };
  
-void vnc_display_init(const char *id)
+void vnc_display_init(const char *id, Error **errp)
  {
      VncDisplay *vd;
  
@@ -3051,13 +3188,14 @@ void vnc_display_init(const char *id)
  
      if (keyboard_layout) {
          trace_vnc_key_map_init(keyboard_layout);
-        vd->kbd_layout = init_keyboard_layout(name2keysym, keyboard_layout);
+        vd->kbd_layout = init_keyboard_layout(name2keysym,
+                                              keyboard_layout, errp);
      } else {
-        vd->kbd_layout = init_keyboard_layout(name2keysym, "en-us");
+        vd->kbd_layout = init_keyboard_layout(name2keysym, "en-us", errp);
      }
  
      if (!vd->kbd_layout) {
-        exit(1);
+        return;
      }
  
      vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
@@ -3068,39 +3206,28 @@ void vnc_display_init(const char *id)
  
      vd->dcl.ops = &dcl_ops;
      register_displaychangelistener(&vd->dcl);
+    vd->kbd = qkbd_state_init(vd->dcl.con);
  }
  
  
  static void vnc_display_close(VncDisplay *vd)
  {
-    size_t i;
      if (!vd) {
          return;
      }
      vd->is_unix = false;
-    for (i = 0; i < vd->nlsock; i++) {
-        if (vd->lsock_tag[i]) {
-            g_source_remove(vd->lsock_tag[i]);
-        }
-        object_unref(OBJECT(vd->lsock[i]));
+
+    if (vd->listener) {
+        qio_net_listener_disconnect(vd->listener);
+        object_unref(OBJECT(vd->listener));
      }
-    g_free(vd->lsock);
-    g_free(vd->lsock_tag);
-    vd->lsock = NULL;
-    vd->lsock_tag = NULL;
-    vd->nlsock = 0;
+    vd->listener = NULL;
  
-    for (i = 0; i < vd->nlwebsock; i++) {
-        if (vd->lwebsock_tag[i]) {
-            g_source_remove(vd->lwebsock_tag[i]);
-        }
-        object_unref(OBJECT(vd->lwebsock[i]));
+    if (vd->wslistener) {
+        qio_net_listener_disconnect(vd->wslistener);
+        object_unref(OBJECT(vd->wslistener));
      }
-    g_free(vd->lwebsock);
-    g_free(vd->lwebsock_tag);
-    vd->lwebsock = NULL;
-    vd->lwebsock_tag = NULL;
-    vd->nlwebsock = 0;
+    vd->wslistener = NULL;
  
      vd->auth = VNC_AUTH_INVALID;
      vd->subauth = VNC_AUTH_INVALID;
@@ -3108,12 +3235,24 @@ static void vnc_display_close(VncDisplay *vd)
          object_unparent(OBJECT(vd->tlscreds));
          vd->tlscreds = NULL;
      }
-    g_free(vd->tlsaclname);
-    vd->tlsaclname = NULL;
+    if (vd->tlsauthz) {
+        object_unparent(OBJECT(vd->tlsauthz));
+        vd->tlsauthz = NULL;
+    }
+    g_free(vd->tlsauthzid);
+    vd->tlsauthzid = NULL;
      if (vd->lock_key_sync) {
          qemu_remove_led_event_handler(vd->led);
          vd->led = NULL;
      }
+#ifdef CONFIG_VNC_SASL
+    if (vd->sasl.authz) {
+        object_unparent(OBJECT(vd->sasl.authz));
+        vd->sasl.authz = NULL;
+    }
+    g_free(vd->sasl.authzid);
+    vd->sasl.authzid = NULL;
+#endif
  }
  
  int vnc_display_password(const char *id, const char *password)
@@ -3152,11 +3291,11 @@ static void vnc_display_print_local_addr(VncDisplay *vd)
      SocketAddress *addr;
      Error *err = NULL;
  
-    if (!vd->nlsock) {
+    if (!vd->listener || !vd->listener->nsioc) {
          return;
      }
  
-    addr = qio_channel_socket_get_local_address(vd->lsock[0], &err);
+    addr = qio_channel_socket_get_local_address(vd->listener->sioc[0], &err);
      if (!addr) {
          return;
      }
@@ -3185,10 +3324,6 @@ static QemuOptsList qemu_vnc_opts = {
          },{
              .name = "tls-creds",
              .type = QEMU_OPT_STRING,
-        },{
-            /* Deprecated in favour of tls-creds */
-            .name = "x509",
-            .type = QEMU_OPT_STRING,
          },{
              .name = "share",
              .type = QEMU_OPT_STRING,
@@ -3226,16 +3361,14 @@ static QemuOptsList qemu_vnc_opts = {
              .name = "sasl",
              .type = QEMU_OPT_BOOL,
          },{
-            /* Deprecated in favour of tls-creds */
-            .name = "tls",
+            .name = "acl",
              .type = QEMU_OPT_BOOL,
          },{
-            /* Deprecated in favour of tls-creds */
-            .name = "x509verify",
+            .name = "tls-authz",
              .type = QEMU_OPT_STRING,
          },{
-            .name = "acl",
-            .type = QEMU_OPT_BOOL,
+            .name = "sasl-authz",
+            .type = QEMU_OPT_STRING,
          },{
              .name = "lossy",
              .type = QEMU_OPT_BOOL,
@@ -3360,51 +3493,6 @@ vnc_display_setup_auth(int *auth,
  }
  
  
-/*
- * Handle back compat with old CLI syntax by creating some
- * suitable QCryptoTLSCreds objects
- */
-static QCryptoTLSCreds *
-vnc_display_create_creds(bool x509,
-                         bool x509verify,
-                         const char *dir,
-                         const char *id,
-                         Error **errp)
-{
-    gchar *credsid = g_strdup_printf("tlsvnc%s", id);
-    Object *parent = object_get_objects_root();
-    Object *creds;
-    Error *err = NULL;
-
-    if (x509) {
-        creds = object_new_with_props(TYPE_QCRYPTO_TLS_CREDS_X509,
-                                      parent,
-                                      credsid,
-                                      &err,
-                                      "endpoint", "server",
-                                      "dir", dir,
-                                      "verify-peer", x509verify ? "yes" : "no",
-                                      NULL);
-    } else {
-        creds = object_new_with_props(TYPE_QCRYPTO_TLS_CREDS_ANON,
-                                      parent,
-                                      credsid,
-                                      &err,
-                                      "endpoint", "server",
-                                      NULL);
-    }
-
-    g_free(credsid);
-
-    if (err) {
-        error_propagate(errp, err);
-        return NULL;
-    }
-
-    return QCRYPTO_TLS_CREDS(creds);
-}
-
-
  static int vnc_display_get_address(const char *addrstr,
                                     bool websocket,
                                     bool reverse,
@@ -3522,6 +3610,20 @@ static int vnc_display_get_address(const char *addrstr,
      return ret;
  }
  
+static void vnc_free_addresses(SocketAddress ***retsaddr,
+                               size_t *retnsaddr)
+{
+    size_t i;
+
+    for (i = 0; i < *retnsaddr; i++) {
+        qapi_free_SocketAddress((*retsaddr)[i]);
+    }
+    g_free(*retsaddr);
+
+    *retsaddr = NULL;
+    *retnsaddr = 0;
+}
+
  static int vnc_display_get_addresses(QemuOpts *opts,
                                       bool reverse,
                                       SocketAddress ***retsaddr,
@@ -3539,7 +3641,6 @@ static int vnc_display_get_addresses(QemuOpts *opts,
      bool has_ipv6 = qemu_opt_get(opts, "ipv6");
      bool ipv4 = qemu_opt_get_bool(opts, "ipv4", false);
      bool ipv6 = qemu_opt_get_bool(opts, "ipv6", false);
-    size_t i;
      int displaynum = -1;
      int ret = -1;
  
@@ -3615,16 +3716,8 @@ static int vnc_display_get_addresses(QemuOpts *opts,
      ret = 0;
   cleanup:
      if (ret < 0) {
-        for (i = 0; i < *retnsaddr; i++) {
-            qapi_free_SocketAddress((*retsaddr)[i]);
-        }
-        g_free(*retsaddr);
-        for (i = 0; i < *retnwsaddr; i++) {
-            qapi_free_SocketAddress((*retwsaddr)[i]);
-        }
-        g_free(*retwsaddr);
-        *retsaddr = *retwsaddr = NULL;
-        *retnsaddr = *retnwsaddr = 0;
+        vnc_free_addresses(retsaddr, retnsaddr);
+        vnc_free_addresses(retwsaddr, retnwsaddr);
      }
      return ret;
  }
@@ -3659,68 +3752,6 @@ static int vnc_display_connect(VncDisplay *vd,
  }
  
  
-static int vnc_display_listen_addr(VncDisplay *vd,
-                                   SocketAddress *addr,
-                                   const char *name,
-                                   QIOChannelSocket ***lsock,
-                                   guint **lsock_tag,
-                                   size_t *nlsock,
-                                   Error **errp)
-{
-    QIODNSResolver *resolver = qio_dns_resolver_get_instance();
-    SocketAddress **rawaddrs = NULL;
-    size_t nrawaddrs = 0;
-    Error *listenerr = NULL;
-    bool listening = false;
-    size_t i;
-
-    if (qio_dns_resolver_lookup_sync(resolver, addr, &nrawaddrs,
-                                     &rawaddrs, errp) < 0) {
-        return -1;
-    }
-
-    for (i = 0; i < nrawaddrs; i++) {
-        QIOChannelSocket *sioc = qio_channel_socket_new();
-
-        qio_channel_set_name(QIO_CHANNEL(sioc), name);
-        if (qio_channel_socket_listen_sync(
-                sioc, rawaddrs[i], listenerr == NULL ? &listenerr : NULL) < 0) {
-            object_unref(OBJECT(sioc));
-            continue;
-        }
-        listening = true;
-        (*nlsock)++;
-        *lsock = g_renew(QIOChannelSocket *, *lsock, *nlsock);
-        *lsock_tag = g_renew(guint, *lsock_tag, *nlsock);
-
-        (*lsock)[*nlsock - 1] = sioc;
-        (*lsock_tag)[*nlsock - 1] = 0;
-    }
-
-    for (i = 0; i < nrawaddrs; i++) {
-        qapi_free_SocketAddress(rawaddrs[i]);
-    }
-    g_free(rawaddrs);
-
-    if (listenerr) {
-        if (!listening) {
-            error_propagate(errp, listenerr);
-            return -1;
-        } else {
-            error_free(listenerr);
-        }
-    }
-
-    for (i = 0; i < *nlsock; i++) {
-        (*lsock_tag)[i] = qio_channel_add_watch(
-            QIO_CHANNEL((*lsock)[i]),
-            G_IO_IN, vnc_listen_io, vd, NULL);
-    }
-
-    return 0;
-}
-
-
  static int vnc_display_listen(VncDisplay *vd,
                                SocketAddress **saddr,
                                size_t nsaddr,
@@ -3730,25 +3761,34 @@ static int vnc_display_listen(VncDisplay *vd,
  {
      size_t i;
  
-    for (i = 0; i < nsaddr; i++) {
-        if (vnc_display_listen_addr(vd, saddr[i],
-                                    "vnc-listen",
-                                    &vd->lsock,
-                                    &vd->lsock_tag,
-                                    &vd->nlsock,
-                                    errp) < 0) {
-            return -1;
+    if (nsaddr) {
+        vd->listener = qio_net_listener_new();
+        qio_net_listener_set_name(vd->listener, "vnc-listen");
+        for (i = 0; i < nsaddr; i++) {
+            if (qio_net_listener_open_sync(vd->listener,
+                                           saddr[i],
+                                           errp) < 0)  {
+                return -1;
+            }
          }
+
+        qio_net_listener_set_client_func(vd->listener,
+                                         vnc_listen_io, vd, NULL);
      }
-    for (i = 0; i < nwsaddr; i++) {
-        if (vnc_display_listen_addr(vd, wsaddr[i],
-                                    "vnc-ws-listen",
-                                    &vd->lwebsock,
-                                    &vd->lwebsock_tag,
-                                    &vd->nlwebsock,
-                                    errp) < 0) {
-            return -1;
+
+    if (nwsaddr) {
+        vd->wslistener = qio_net_listener_new();
+        qio_net_listener_set_name(vd->wslistener, "vnc-ws-listen");
+        for (i = 0; i < nwsaddr; i++) {
+            if (qio_net_listener_open_sync(vd->wslistener,
+                                           wsaddr[i],
+                                           errp) < 0)  {
+                return -1;
+            }
          }
+
+        qio_net_listener_set_client_func(vd->wslistener,
+                                         vnc_listen_io, vd, NULL);
      }
  
      return 0;
@@ -3767,13 +3807,11 @@ void vnc_display_open(const char *id, Error **errp)
      bool reverse = false;
      const char *credid;
      bool sasl = false;
-#ifdef CONFIG_VNC_SASL
-    int saslErr;
-#endif
      int acl = 0;
+    const char *tlsauthz;
+    const char *saslauthz;
      int lock_key_sync = 1;
      int key_delay_ms;
-    size_t i;
  
      if (!vd) {
          error_setg(errp, "VNC display not active");
@@ -3809,7 +3847,7 @@ void vnc_display_open(const char *id, Error **errp)
      }
  
      lock_key_sync = qemu_opt_get_bool(opts, "lock-key-sync", true);
-    key_delay_ms = qemu_opt_get_number(opts, "key-delay-ms", 1);
+    key_delay_ms = qemu_opt_get_number(opts, "key-delay-ms", 10);
      sasl = qemu_opt_get_bool(opts, "sasl", false);
  #ifndef CONFIG_VNC_SASL
      if (sasl) {
@@ -3820,15 +3858,6 @@ void vnc_display_open(const char *id, Error **errp)
      credid = qemu_opt_get(opts, "tls-creds");
      if (credid) {
          Object *creds;
-        if (qemu_opt_get(opts, "tls") ||
-            qemu_opt_get(opts, "x509") ||
-            qemu_opt_get(opts, "x509verify")) {
-            error_setg(errp,
-                       "'tls-creds' parameter is mutually exclusive with "
-                       "'tls', 'x509' and 'x509verify' parameters");
-            goto fail;
-        }
-
          creds = object_resolve_path_component(
              object_get_objects_root(), credid);
          if (!creds) {
@@ -3851,33 +3880,34 @@ void vnc_display_open(const char *id, Error **errp)
                         "Expecting TLS credentials with a server endpoint");
              goto fail;
          }
-    } else {
-        const char *path;
-        bool tls = false, x509 = false, x509verify = false;
-        tls  = qemu_opt_get_bool(opts, "tls", false);
-        if (tls) {
-            path = qemu_opt_get(opts, "x509");
-
-            if (path) {
-                x509 = true;
-            } else {
-                path = qemu_opt_get(opts, "x509verify");
-                if (path) {
-                    x509 = true;
-                    x509verify = true;
-                }
-            }
-            vd->tlscreds = vnc_display_create_creds(x509,
-                                                    x509verify,
-                                                    path,
-                                                    vd->id,
-                                                    errp);
-            if (!vd->tlscreds) {
-                goto fail;
-            }
-        }
+    }
+    if (qemu_opt_get(opts, "acl")) {
+        error_report("The 'acl' option to -vnc is deprecated. "
+                     "Please use the 'tls-authz' and 'sasl-authz' "
+                     "options instead");
      }
      acl = qemu_opt_get_bool(opts, "acl", false);
+    tlsauthz = qemu_opt_get(opts, "tls-authz");
+    if (acl && tlsauthz) {
+        error_setg(errp, "'acl' option is mutually exclusive with the "
+                   "'tls-authz' option");
+        goto fail;
+    }
+    if (tlsauthz && !vd->tlscreds) {
+        error_setg(errp, "'tls-authz' provided but TLS is not enabled");
+        goto fail;
+    }
+
+    saslauthz = qemu_opt_get(opts, "sasl-authz");
+    if (acl && saslauthz) {
+        error_setg(errp, "'acl' option is mutually exclusive with the "
+                   "'sasl-authz' option");
+        goto fail;
+    }
+    if (saslauthz && !sasl) {
+        error_setg(errp, "'sasl-authz' provided but SASL auth is not enabled");
+        goto fail;
+    }
  
      share = qemu_opt_get(opts, "share");
      if (share) {
@@ -3907,25 +3937,32 @@ void vnc_display_open(const char *id, Error **errp)
          vd->non_adaptive = true;
      }
  
-    if (acl) {
+    if (tlsauthz) {
+        vd->tlsauthzid = g_strdup(tlsauthz);
+    } else if (acl) {
          if (strcmp(vd->id, "default") == 0) {
-            vd->tlsaclname = g_strdup("vnc.x509dname");
+            vd->tlsauthzid = g_strdup("vnc.x509dname");
          } else {
-            vd->tlsaclname = g_strdup_printf("vnc.%s.x509dname", vd->id);
+            vd->tlsauthzid = g_strdup_printf("vnc.%s.x509dname", vd->id);
          }
-        qemu_acl_init(vd->tlsaclname);
+        vd->tlsauthz = QAUTHZ(qauthz_list_new(vd->tlsauthzid,
+                                              QAUTHZ_LIST_POLICY_DENY,
+                                              &error_abort));
      }
  #ifdef CONFIG_VNC_SASL
-    if (acl && sasl) {
-        char *aclname;
-
-        if (strcmp(vd->id, "default") == 0) {
-            aclname = g_strdup("vnc.username");
-        } else {
-            aclname = g_strdup_printf("vnc.%s.username", vd->id);
+    if (sasl) {
+        if (saslauthz) {
+            vd->sasl.authzid = g_strdup(saslauthz);
+        } else if (acl) {
+            if (strcmp(vd->id, "default") == 0) {
+                vd->sasl.authzid = g_strdup("vnc.username");
+            } else {
+                vd->sasl.authzid = g_strdup_printf("vnc.%s.username", vd->id);
+            }
+            vd->sasl.authz = QAUTHZ(qauthz_list_new(vd->sasl.authzid,
+                                                    QAUTHZ_LIST_POLICY_DENY,
+                                                    &error_abort));
          }
-        vd->sasl.acl = qemu_acl_init(aclname);
-        g_free(aclname);
      }
  #endif
  
@@ -3934,18 +3971,24 @@ void vnc_display_open(const char *id, Error **errp)
                                 sasl, false, errp) < 0) {
          goto fail;
      }
+    trace_vnc_auth_init(vd, 0, vd->auth, vd->subauth);
  
      if (vnc_display_setup_auth(&vd->ws_auth, &vd->ws_subauth,
                                 vd->tlscreds, password,
                                 sasl, true, errp) < 0) {
          goto fail;
      }
+    trace_vnc_auth_init(vd, 1, vd->ws_auth, vd->ws_subauth);
  
  #ifdef CONFIG_VNC_SASL
-    if ((saslErr = sasl_server_init(NULL, "qemu")) != SASL_OK) {
-        error_setg(errp, "Failed to initialize SASL auth: %s",
-                   sasl_errstring(saslErr, NULL, NULL));
-        goto fail;
+    if (sasl) {
+        int saslErr = sasl_server_init(NULL, "qemu");
+
+        if (saslErr != SASL_OK) {
+            error_setg(errp, "Failed to initialize SASL auth: %s",
+                       sasl_errstring(saslErr, NULL, NULL));
+            goto fail;
+        }
      }
  #endif
      vd->lock_key_sync = lock_key_sync;
@@ -3953,7 +3996,6 @@ void vnc_display_open(const char *id, Error **errp)
          vd->led = qemu_add_led_event_handler(kbd_leds, vd);
      }
      vd->ledstate = 0;
-    vd->key_delay_ms = key_delay_ms;
  
      device_id = qemu_opt_get(opts, "display");
      if (device_id) {
@@ -3970,10 +4012,13 @@ void vnc_display_open(const char *id, Error **errp)
      }
  
      if (con != vd->dcl.con) {
+        qkbd_state_free(vd->kbd);
          unregister_displaychangelistener(&vd->dcl);
          vd->dcl.con = con;
          register_displaychangelistener(&vd->dcl);
+        vd->kbd = qkbd_state_init(vd->dcl.con);
      }
+    qkbd_state_set_delay(vd->kbd, key_delay_ms);
  
      if (saddr == NULL) {
          goto cleanup;
@@ -3994,12 +4039,8 @@ void vnc_display_open(const char *id, Error **errp)
      }
  
   cleanup:
-    for (i = 0; i < nsaddr; i++) {
-        qapi_free_SocketAddress(saddr[i]);
-    }
-    for (i = 0; i < nwsaddr; i++) {
-        qapi_free_SocketAddress(wsaddr[i]);
-    }
+    vnc_free_addresses(&saddr, &nsaddr);
+    vnc_free_addresses(&wsaddr, &nwsaddr);
      return;
  
  fail:
@@ -4061,11 +4102,15 @@ int vnc_init_func(void *opaque, QemuOpts *opts, Error **errp)
      char *id = (char *)qemu_opts_id(opts);
  
      assert(id);
-    vnc_display_init(id);
+    vnc_display_init(id, &local_err);
+    if (local_err) {
+        error_propagate(errp, local_err);
+        return -1;
+    }
      vnc_display_open(id, &local_err);
      if (local_err != NULL) {
-        error_reportf_err(local_err, "Failed to start VNC server: ");
-        exit(1);
+        error_propagate(errp, local_err);
+        return -1;
      }
      return 0;
  }