Git Repo - qemu.git/blame_incremental

... / ...

Commit	Line	Data
	1	/*
	2	* Copyright (C) 2010 Red Hat, Inc.
	3	*
	4	* written by Yaniv Kamay, Izik Eidus, Gerd Hoffmann
	5	* maintained by Gerd Hoffmann <[email protected]>
	6	*
	7	* This program is free software; you can redistribute it and/or
	8	* modify it under the terms of the GNU General Public License as
	9	* published by the Free Software Foundation; either version 2 or
	10	* (at your option) version 3 of the License.
	11	*
	12	* This program is distributed in the hope that it will be useful,
	13	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	14	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	15	* GNU General Public License for more details.
	16	*
	17	* You should have received a copy of the GNU General Public License
	18	* along with this program; if not, see <http://www.gnu.org/licenses/>.
	19	*/
	20
	21	#include <zlib.h>
	22
	23	#include "qemu-common.h"
	24	#include "qemu/timer.h"
	25	#include "qemu/queue.h"
	26	#include "qemu/atomic.h"
	27	#include "monitor/monitor.h"
	28	#include "sysemu/sysemu.h"
	29	#include "trace.h"
	30
	31	#include "qxl.h"
	32
	33	/*
	34	* NOTE: SPICE_RING_PROD_ITEM accesses memory on the pci bar and as
	35	* such can be changed by the guest, so to avoid a guest trigerrable
	36	* abort we just qxl_set_guest_bug and set the return to NULL. Still
	37	* it may happen as a result of emulator bug as well.
	38	*/
	39	#undef SPICE_RING_PROD_ITEM
	40	#define SPICE_RING_PROD_ITEM(qxl, r, ret) { \
	41	uint32_t prod = (r)->prod & SPICE_RING_INDEX_MASK(r); \
	42	if (prod >= ARRAY_SIZE((r)->items)) { \
	43	qxl_set_guest_bug(qxl, "SPICE_RING_PROD_ITEM indices mismatch " \
	44	"%u >= %zu", prod, ARRAY_SIZE((r)->items)); \
	45	ret = NULL; \
	46	} else { \
	47	ret = &(r)->items[prod].el; \
	48	} \
	49	}
	50
	51	#undef SPICE_RING_CONS_ITEM
	52	#define SPICE_RING_CONS_ITEM(qxl, r, ret) { \
	53	uint32_t cons = (r)->cons & SPICE_RING_INDEX_MASK(r); \
	54	if (cons >= ARRAY_SIZE((r)->items)) { \
	55	qxl_set_guest_bug(qxl, "SPICE_RING_CONS_ITEM indices mismatch " \
	56	"%u >= %zu", cons, ARRAY_SIZE((r)->items)); \
	57	ret = NULL; \
	58	} else { \
	59	ret = &(r)->items[cons].el; \
	60	} \
	61	}
	62
	63	#undef ALIGN
	64	#define ALIGN(a, b) (((a) + ((b) - 1)) & ~((b) - 1))
	65
	66	#define PIXEL_SIZE 0.2936875 //1280x1024 is 14.8" x 11.9"
	67
	68	#define QXL_MODE(_x, _y, _b, _o) \
	69	{ .x_res = _x, \
	70	.y_res = _y, \
	71	.bits = _b, \
	72	.stride = (_x) * (_b) / 8, \
	73	.x_mili = PIXEL_SIZE * (_x), \
	74	.y_mili = PIXEL_SIZE * (_y), \
	75	.orientation = _o, \
	76	}
	77
	78	#define QXL_MODE_16_32(x_res, y_res, orientation) \
	79	QXL_MODE(x_res, y_res, 16, orientation), \
	80	QXL_MODE(x_res, y_res, 32, orientation)
	81
	82	#define QXL_MODE_EX(x_res, y_res) \
	83	QXL_MODE_16_32(x_res, y_res, 0), \
	84	QXL_MODE_16_32(x_res, y_res, 1)
	85
	86	static QXLMode qxl_modes[] = {
	87	QXL_MODE_EX(640, 480),
	88	QXL_MODE_EX(800, 480),
	89	QXL_MODE_EX(800, 600),
	90	QXL_MODE_EX(832, 624),
	91	QXL_MODE_EX(960, 640),
	92	QXL_MODE_EX(1024, 600),
	93	QXL_MODE_EX(1024, 768),
	94	QXL_MODE_EX(1152, 864),
	95	QXL_MODE_EX(1152, 870),
	96	QXL_MODE_EX(1280, 720),
	97	QXL_MODE_EX(1280, 760),
	98	QXL_MODE_EX(1280, 768),
	99	QXL_MODE_EX(1280, 800),
	100	QXL_MODE_EX(1280, 960),
	101	QXL_MODE_EX(1280, 1024),
	102	QXL_MODE_EX(1360, 768),
	103	QXL_MODE_EX(1366, 768),
	104	QXL_MODE_EX(1400, 1050),
	105	QXL_MODE_EX(1440, 900),
	106	QXL_MODE_EX(1600, 900),
	107	QXL_MODE_EX(1600, 1200),
	108	QXL_MODE_EX(1680, 1050),
	109	QXL_MODE_EX(1920, 1080),
	110	/* these modes need more than 8 MB video memory */
	111	QXL_MODE_EX(1920, 1200),
	112	QXL_MODE_EX(1920, 1440),
	113	QXL_MODE_EX(2000, 2000),
	114	QXL_MODE_EX(2048, 1536),
	115	QXL_MODE_EX(2048, 2048),
	116	QXL_MODE_EX(2560, 1440),
	117	QXL_MODE_EX(2560, 1600),
	118	/* these modes need more than 16 MB video memory */
	119	QXL_MODE_EX(2560, 2048),
	120	QXL_MODE_EX(2800, 2100),
	121	QXL_MODE_EX(3200, 2400),
	122	QXL_MODE_EX(3840, 2160), /* 4k mainstream */
	123	QXL_MODE_EX(4096, 2160), /* 4k */
	124	QXL_MODE_EX(7680, 4320), /* 8k mainstream */
	125	QXL_MODE_EX(8192, 4320), /* 8k */
	126	};
	127
	128	static void qxl_send_events(PCIQXLDevice *d, uint32_t events);
	129	static int qxl_destroy_primary(PCIQXLDevice *d, qxl_async_io async);
	130	static void qxl_reset_memslots(PCIQXLDevice *d);
	131	static void qxl_reset_surfaces(PCIQXLDevice *d);
	132	static void qxl_ring_set_dirty(PCIQXLDevice *qxl);
	133
	134	void qxl_set_guest_bug(PCIQXLDevice qxl, const char msg, ...)
	135	{
	136	trace_qxl_set_guest_bug(qxl->id);
	137	qxl_send_events(qxl, QXL_INTERRUPT_ERROR);
	138	qxl->guest_bug = 1;
	139	if (qxl->guestdebug) {
	140	va_list ap;
	141	va_start(ap, msg);
	142	fprintf(stderr, "qxl-%d: guest bug: ", qxl->id);
	143	vfprintf(stderr, msg, ap);
	144	fprintf(stderr, "\n");
	145	va_end(ap);
	146	}
	147	}
	148
	149	static void qxl_clear_guest_bug(PCIQXLDevice *qxl)
	150	{
	151	qxl->guest_bug = 0;
	152	}
	153
	154	void qxl_spice_update_area(PCIQXLDevice *qxl, uint32_t surface_id,
	155	struct QXLRect area, struct QXLRect dirty_rects,
	156	uint32_t num_dirty_rects,
	157	uint32_t clear_dirty_region,
	158	qxl_async_io async, struct QXLCookie *cookie)
	159	{
	160	trace_qxl_spice_update_area(qxl->id, surface_id, area->left, area->right,
	161	area->top, area->bottom);
	162	trace_qxl_spice_update_area_rest(qxl->id, num_dirty_rects,
	163	clear_dirty_region);
	164	if (async == QXL_SYNC) {
	165	qxl->ssd.worker->update_area(qxl->ssd.worker, surface_id, area,
	166	dirty_rects, num_dirty_rects, clear_dirty_region);
	167	} else {
	168	assert(cookie != NULL);
	169	spice_qxl_update_area_async(&qxl->ssd.qxl, surface_id, area,
	170	clear_dirty_region, (uintptr_t)cookie);
	171	}
	172	}
	173
	174	static void qxl_spice_destroy_surface_wait_complete(PCIQXLDevice *qxl,
	175	uint32_t id)
	176	{
	177	trace_qxl_spice_destroy_surface_wait_complete(qxl->id, id);
	178	qemu_mutex_lock(&qxl->track_lock);
	179	qxl->guest_surfaces.cmds[id] = 0;
	180	qxl->guest_surfaces.count--;
	181	qemu_mutex_unlock(&qxl->track_lock);
	182	}
	183
	184	static void qxl_spice_destroy_surface_wait(PCIQXLDevice *qxl, uint32_t id,
	185	qxl_async_io async)
	186	{
	187	QXLCookie *cookie;
	188
	189	trace_qxl_spice_destroy_surface_wait(qxl->id, id, async);
	190	if (async) {
	191	cookie = qxl_cookie_new(QXL_COOKIE_TYPE_IO,
	192	QXL_IO_DESTROY_SURFACE_ASYNC);
	193	cookie->u.surface_id = id;
	194	spice_qxl_destroy_surface_async(&qxl->ssd.qxl, id, (uintptr_t)cookie);
	195	} else {
	196	qxl->ssd.worker->destroy_surface_wait(qxl->ssd.worker, id);
	197	qxl_spice_destroy_surface_wait_complete(qxl, id);
	198	}
	199	}
	200
	201	static void qxl_spice_flush_surfaces_async(PCIQXLDevice *qxl)
	202	{
	203	trace_qxl_spice_flush_surfaces_async(qxl->id, qxl->guest_surfaces.count,
	204	qxl->num_free_res);
	205	spice_qxl_flush_surfaces_async(&qxl->ssd.qxl,
	206	(uintptr_t)qxl_cookie_new(QXL_COOKIE_TYPE_IO,
	207	QXL_IO_FLUSH_SURFACES_ASYNC));
	208	}
	209
	210	void qxl_spice_loadvm_commands(PCIQXLDevice qxl, struct QXLCommandExt ext,
	211	uint32_t count)
	212	{
	213	trace_qxl_spice_loadvm_commands(qxl->id, ext, count);
	214	qxl->ssd.worker->loadvm_commands(qxl->ssd.worker, ext, count);
	215	}
	216
	217	void qxl_spice_oom(PCIQXLDevice *qxl)
	218	{
	219	trace_qxl_spice_oom(qxl->id);
	220	qxl->ssd.worker->oom(qxl->ssd.worker);
	221	}
	222
	223	void qxl_spice_reset_memslots(PCIQXLDevice *qxl)
	224	{
	225	trace_qxl_spice_reset_memslots(qxl->id);
	226	qxl->ssd.worker->reset_memslots(qxl->ssd.worker);
	227	}
	228
	229	static void qxl_spice_destroy_surfaces_complete(PCIQXLDevice *qxl)
	230	{
	231	trace_qxl_spice_destroy_surfaces_complete(qxl->id);
	232	qemu_mutex_lock(&qxl->track_lock);
	233	memset(qxl->guest_surfaces.cmds, 0,
	234	sizeof(qxl->guest_surfaces.cmds[0]) * qxl->ssd.num_surfaces);
	235	qxl->guest_surfaces.count = 0;
	236	qemu_mutex_unlock(&qxl->track_lock);
	237	}
	238
	239	static void qxl_spice_destroy_surfaces(PCIQXLDevice *qxl, qxl_async_io async)
	240	{
	241	trace_qxl_spice_destroy_surfaces(qxl->id, async);
	242	if (async) {
	243	spice_qxl_destroy_surfaces_async(&qxl->ssd.qxl,
	244	(uintptr_t)qxl_cookie_new(QXL_COOKIE_TYPE_IO,
	245	QXL_IO_DESTROY_ALL_SURFACES_ASYNC));
	246	} else {
	247	qxl->ssd.worker->destroy_surfaces(qxl->ssd.worker);
	248	qxl_spice_destroy_surfaces_complete(qxl);
	249	}
	250	}
	251
	252	static void qxl_spice_monitors_config_async(PCIQXLDevice *qxl, int replay)
	253	{
	254	trace_qxl_spice_monitors_config(qxl->id);
	255	if (replay) {
	256	/*
	257	* don't use QXL_COOKIE_TYPE_IO:
	258	* - we are not running yet (post_load), we will assert
	259	* in send_events
	260	* - this is not a guest io, but a reply, so async_io isn't set.
	261	*/
	262	spice_qxl_monitors_config_async(&qxl->ssd.qxl,
	263	qxl->guest_monitors_config,
	264	MEMSLOT_GROUP_GUEST,
	265	(uintptr_t)qxl_cookie_new(
	266	QXL_COOKIE_TYPE_POST_LOAD_MONITORS_CONFIG,
	267	0));
	268	} else {
	269	qxl->guest_monitors_config = qxl->ram->monitors_config;
	270	spice_qxl_monitors_config_async(&qxl->ssd.qxl,
	271	qxl->ram->monitors_config,
	272	MEMSLOT_GROUP_GUEST,
	273	(uintptr_t)qxl_cookie_new(QXL_COOKIE_TYPE_IO,
	274	QXL_IO_MONITORS_CONFIG_ASYNC));
	275	}
	276	}
	277
	278	void qxl_spice_reset_image_cache(PCIQXLDevice *qxl)
	279	{
	280	trace_qxl_spice_reset_image_cache(qxl->id);
	281	qxl->ssd.worker->reset_image_cache(qxl->ssd.worker);
	282	}
	283
	284	void qxl_spice_reset_cursor(PCIQXLDevice *qxl)
	285	{
	286	trace_qxl_spice_reset_cursor(qxl->id);
	287	qxl->ssd.worker->reset_cursor(qxl->ssd.worker);
	288	qemu_mutex_lock(&qxl->track_lock);
	289	qxl->guest_cursor = 0;
	290	qemu_mutex_unlock(&qxl->track_lock);
	291	if (qxl->ssd.cursor) {
	292	cursor_put(qxl->ssd.cursor);
	293	}
	294	qxl->ssd.cursor = cursor_builtin_hidden();
	295	}
	296
	297
	298	static inline uint32_t msb_mask(uint32_t val)
	299	{
	300	uint32_t mask;
	301
	302	do {
	303	mask = ~(val - 1) & val;
	304	val &= ~mask;
	305	} while (mask < val);
	306
	307	return mask;
	308	}
	309
	310	static ram_addr_t qxl_rom_size(void)
	311	{
	312	uint32_t required_rom_size = sizeof(QXLRom) + sizeof(QXLModes) +
	313	sizeof(qxl_modes);
	314	uint32_t rom_size = 8192; /* two pages */
	315
	316	required_rom_size = MAX(required_rom_size, TARGET_PAGE_SIZE);
	317	required_rom_size = msb_mask(required_rom_size * 2 - 1);
	318	assert(required_rom_size <= rom_size);
	319	return rom_size;
	320	}
	321
	322	static void init_qxl_rom(PCIQXLDevice *d)
	323	{
	324	QXLRom *rom = memory_region_get_ram_ptr(&d->rom_bar);
	325	QXLModes modes = (QXLModes )(rom + 1);
	326	uint32_t ram_header_size;
	327	uint32_t surface0_area_size;
	328	uint32_t num_pages;
	329	uint32_t fb;
	330	int i, n;
	331
	332	memset(rom, 0, d->rom_size);
	333
	334	rom->magic = cpu_to_le32(QXL_ROM_MAGIC);
	335	rom->id = cpu_to_le32(d->id);
	336	rom->log_level = cpu_to_le32(d->guestdebug);
	337	rom->modes_offset = cpu_to_le32(sizeof(QXLRom));
	338
	339	rom->slot_gen_bits = MEMSLOT_GENERATION_BITS;
	340	rom->slot_id_bits = MEMSLOT_SLOT_BITS;
	341	rom->slots_start = 1;
	342	rom->slots_end = NUM_MEMSLOTS - 1;
	343	rom->n_surfaces = cpu_to_le32(d->ssd.num_surfaces);
	344
	345	for (i = 0, n = 0; i < ARRAY_SIZE(qxl_modes); i++) {
	346	fb = qxl_modes[i].y_res * qxl_modes[i].stride;
	347	if (fb > d->vgamem_size) {
	348	continue;
	349	}
	350	modes->modes[n].id = cpu_to_le32(i);
	351	modes->modes[n].x_res = cpu_to_le32(qxl_modes[i].x_res);
	352	modes->modes[n].y_res = cpu_to_le32(qxl_modes[i].y_res);
	353	modes->modes[n].bits = cpu_to_le32(qxl_modes[i].bits);
	354	modes->modes[n].stride = cpu_to_le32(qxl_modes[i].stride);
	355	modes->modes[n].x_mili = cpu_to_le32(qxl_modes[i].x_mili);
	356	modes->modes[n].y_mili = cpu_to_le32(qxl_modes[i].y_mili);
	357	modes->modes[n].orientation = cpu_to_le32(qxl_modes[i].orientation);
	358	n++;
	359	}
	360	modes->n_modes = cpu_to_le32(n);
	361
	362	ram_header_size = ALIGN(sizeof(QXLRam), 4096);
	363	surface0_area_size = ALIGN(d->vgamem_size, 4096);
	364	num_pages = d->vga.vram_size;
	365	num_pages -= ram_header_size;
	366	num_pages -= surface0_area_size;
	367	num_pages = num_pages / TARGET_PAGE_SIZE;
	368
	369	rom->draw_area_offset = cpu_to_le32(0);
	370	rom->surface0_area_size = cpu_to_le32(surface0_area_size);
	371	rom->pages_offset = cpu_to_le32(surface0_area_size);
	372	rom->num_pages = cpu_to_le32(num_pages);
	373	rom->ram_header_offset = cpu_to_le32(d->vga.vram_size - ram_header_size);
	374
	375	d->shadow_rom = *rom;
	376	d->rom = rom;
	377	d->modes = modes;
	378	}
	379
	380	static void init_qxl_ram(PCIQXLDevice *d)
	381	{
	382	uint8_t *buf;
	383	uint64_t *item;
	384
	385	buf = d->vga.vram_ptr;
	386	d->ram = (QXLRam *)(buf + le32_to_cpu(d->shadow_rom.ram_header_offset));
	387	d->ram->magic = cpu_to_le32(QXL_RAM_MAGIC);
	388	d->ram->int_pending = cpu_to_le32(0);
	389	d->ram->int_mask = cpu_to_le32(0);
	390	d->ram->update_surface = 0;
	391	d->ram->monitors_config = 0;
	392	SPICE_RING_INIT(&d->ram->cmd_ring);
	393	SPICE_RING_INIT(&d->ram->cursor_ring);
	394	SPICE_RING_INIT(&d->ram->release_ring);
	395	SPICE_RING_PROD_ITEM(d, &d->ram->release_ring, item);
	396	assert(item);
	397	*item = 0;
	398	qxl_ring_set_dirty(d);
	399	}
	400
	401	/* can be called from spice server thread context */
	402	static void qxl_set_dirty(MemoryRegion *mr, ram_addr_t addr, ram_addr_t end)
	403	{
	404	memory_region_set_dirty(mr, addr, end - addr);
	405	}
	406
	407	static void qxl_rom_set_dirty(PCIQXLDevice *qxl)
	408	{
	409	qxl_set_dirty(&qxl->rom_bar, 0, qxl->rom_size);
	410	}
	411
	412	/* called from spice server thread context only */
	413	static void qxl_ram_set_dirty(PCIQXLDevice qxl, void ptr)
	414	{
	415	void *base = qxl->vga.vram_ptr;
	416	intptr_t offset;
	417
	418	offset = ptr - base;
	419	offset &= ~(TARGET_PAGE_SIZE-1);
	420	assert(offset < qxl->vga.vram_size);
	421	qxl_set_dirty(&qxl->vga.vram, offset, offset + TARGET_PAGE_SIZE);
	422	}
	423
	424	/* can be called from spice server thread context */
	425	static void qxl_ring_set_dirty(PCIQXLDevice *qxl)
	426	{
	427	ram_addr_t addr = qxl->shadow_rom.ram_header_offset;
	428	ram_addr_t end = qxl->vga.vram_size;
	429	qxl_set_dirty(&qxl->vga.vram, addr, end);
	430	}
	431
	432	/*
	433	* keep track of some command state, for savevm/loadvm.
	434	* called from spice server thread context only
	435	*/
	436	static int qxl_track_command(PCIQXLDevice qxl, struct QXLCommandExt ext)
	437	{
	438	switch (le32_to_cpu(ext->cmd.type)) {
	439	case QXL_CMD_SURFACE:
	440	{
	441	QXLSurfaceCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
	442
	443	if (!cmd) {
	444	return 1;
	445	}
	446	uint32_t id = le32_to_cpu(cmd->surface_id);
	447
	448	if (id >= qxl->ssd.num_surfaces) {
	449	qxl_set_guest_bug(qxl, "QXL_CMD_SURFACE id %d >= %d", id,
	450	qxl->ssd.num_surfaces);
	451	return 1;
	452	}
	453	if (cmd->type == QXL_SURFACE_CMD_CREATE &&
	454	(cmd->u.surface_create.stride & 0x03) != 0) {
	455	qxl_set_guest_bug(qxl, "QXL_CMD_SURFACE stride = %d %% 4 != 0\n",
	456	cmd->u.surface_create.stride);
	457	return 1;
	458	}
	459	qemu_mutex_lock(&qxl->track_lock);
	460	if (cmd->type == QXL_SURFACE_CMD_CREATE) {
	461	qxl->guest_surfaces.cmds[id] = ext->cmd.data;
	462	qxl->guest_surfaces.count++;
	463	if (qxl->guest_surfaces.max < qxl->guest_surfaces.count)
	464	qxl->guest_surfaces.max = qxl->guest_surfaces.count;
	465	}
	466	if (cmd->type == QXL_SURFACE_CMD_DESTROY) {
	467	qxl->guest_surfaces.cmds[id] = 0;
	468	qxl->guest_surfaces.count--;
	469	}
	470	qemu_mutex_unlock(&qxl->track_lock);
	471	break;
	472	}
	473	case QXL_CMD_CURSOR:
	474	{
	475	QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
	476
	477	if (!cmd) {
	478	return 1;
	479	}
	480	if (cmd->type == QXL_CURSOR_SET) {
	481	qemu_mutex_lock(&qxl->track_lock);
	482	qxl->guest_cursor = ext->cmd.data;
	483	qemu_mutex_unlock(&qxl->track_lock);
	484	}
	485	break;
	486	}
	487	}
	488	return 0;
	489	}
	490
	491	/* spice display interface callbacks */
	492
	493	static void interface_attach_worker(QXLInstance sin, QXLWorker qxl_worker)
	494	{
	495	PCIQXLDevice *qxl = container_of(sin, PCIQXLDevice, ssd.qxl);
	496
	497	trace_qxl_interface_attach_worker(qxl->id);
	498	qxl->ssd.worker = qxl_worker;
	499	}
	500
	501	static void interface_set_compression_level(QXLInstance *sin, int level)
	502	{
	503	PCIQXLDevice *qxl = container_of(sin, PCIQXLDevice, ssd.qxl);
	504
	505	trace_qxl_interface_set_compression_level(qxl->id, level);
	506	qxl->shadow_rom.compression_level = cpu_to_le32(level);
	507	qxl->rom->compression_level = cpu_to_le32(level);
	508	qxl_rom_set_dirty(qxl);
	509	}
	510
	511	static void interface_set_mm_time(QXLInstance *sin, uint32_t mm_time)
	512	{
	513	PCIQXLDevice *qxl = container_of(sin, PCIQXLDevice, ssd.qxl);
	514
	515	trace_qxl_interface_set_mm_time(qxl->id, mm_time);
	516	qxl->shadow_rom.mm_clock = cpu_to_le32(mm_time);
	517	qxl->rom->mm_clock = cpu_to_le32(mm_time);
	518	qxl_rom_set_dirty(qxl);
	519	}
	520
	521	static void interface_get_init_info(QXLInstance sin, QXLDevInitInfo info)
	522	{
	523	PCIQXLDevice *qxl = container_of(sin, PCIQXLDevice, ssd.qxl);
	524
	525	trace_qxl_interface_get_init_info(qxl->id);
	526	info->memslot_gen_bits = MEMSLOT_GENERATION_BITS;
	527	info->memslot_id_bits = MEMSLOT_SLOT_BITS;
	528	info->num_memslots = NUM_MEMSLOTS;
	529	info->num_memslots_groups = NUM_MEMSLOTS_GROUPS;
	530	info->internal_groupslot_id = 0;
	531	info->qxl_ram_size = le32_to_cpu(qxl->shadow_rom.num_pages) << TARGET_PAGE_BITS;
	532	info->n_surfaces = qxl->ssd.num_surfaces;
	533	}
	534
	535	static const char *qxl_mode_to_string(int mode)
	536	{
	537	switch (mode) {
	538	case QXL_MODE_COMPAT:
	539	return "compat";
	540	case QXL_MODE_NATIVE:
	541	return "native";
	542	case QXL_MODE_UNDEFINED:
	543	return "undefined";
	544	case QXL_MODE_VGA:
	545	return "vga";
	546	}
	547	return "INVALID";
	548	}
	549
	550	static const char *io_port_to_string(uint32_t io_port)
	551	{
	552	if (io_port >= QXL_IO_RANGE_SIZE) {
	553	return "out of range";
	554	}
	555	static const char *io_port_to_string[QXL_IO_RANGE_SIZE + 1] = {
	556	[QXL_IO_NOTIFY_CMD] = "QXL_IO_NOTIFY_CMD",
	557	[QXL_IO_NOTIFY_CURSOR] = "QXL_IO_NOTIFY_CURSOR",
	558	[QXL_IO_UPDATE_AREA] = "QXL_IO_UPDATE_AREA",
	559	[QXL_IO_UPDATE_IRQ] = "QXL_IO_UPDATE_IRQ",
	560	[QXL_IO_NOTIFY_OOM] = "QXL_IO_NOTIFY_OOM",
	561	[QXL_IO_RESET] = "QXL_IO_RESET",
	562	[QXL_IO_SET_MODE] = "QXL_IO_SET_MODE",
	563	[QXL_IO_LOG] = "QXL_IO_LOG",
	564	[QXL_IO_MEMSLOT_ADD] = "QXL_IO_MEMSLOT_ADD",
	565	[QXL_IO_MEMSLOT_DEL] = "QXL_IO_MEMSLOT_DEL",
	566	[QXL_IO_DETACH_PRIMARY] = "QXL_IO_DETACH_PRIMARY",
	567	[QXL_IO_ATTACH_PRIMARY] = "QXL_IO_ATTACH_PRIMARY",
	568	[QXL_IO_CREATE_PRIMARY] = "QXL_IO_CREATE_PRIMARY",
	569	[QXL_IO_DESTROY_PRIMARY] = "QXL_IO_DESTROY_PRIMARY",
	570	[QXL_IO_DESTROY_SURFACE_WAIT] = "QXL_IO_DESTROY_SURFACE_WAIT",
	571	[QXL_IO_DESTROY_ALL_SURFACES] = "QXL_IO_DESTROY_ALL_SURFACES",
	572	[QXL_IO_UPDATE_AREA_ASYNC] = "QXL_IO_UPDATE_AREA_ASYNC",
	573	[QXL_IO_MEMSLOT_ADD_ASYNC] = "QXL_IO_MEMSLOT_ADD_ASYNC",
	574	[QXL_IO_CREATE_PRIMARY_ASYNC] = "QXL_IO_CREATE_PRIMARY_ASYNC",
	575	[QXL_IO_DESTROY_PRIMARY_ASYNC] = "QXL_IO_DESTROY_PRIMARY_ASYNC",
	576	[QXL_IO_DESTROY_SURFACE_ASYNC] = "QXL_IO_DESTROY_SURFACE_ASYNC",
	577	[QXL_IO_DESTROY_ALL_SURFACES_ASYNC]
	578	= "QXL_IO_DESTROY_ALL_SURFACES_ASYNC",
	579	[QXL_IO_FLUSH_SURFACES_ASYNC] = "QXL_IO_FLUSH_SURFACES_ASYNC",
	580	[QXL_IO_FLUSH_RELEASE] = "QXL_IO_FLUSH_RELEASE",
	581	[QXL_IO_MONITORS_CONFIG_ASYNC] = "QXL_IO_MONITORS_CONFIG_ASYNC",
	582	};
	583	return io_port_to_string[io_port];
	584	}
	585
	586	/* called from spice server thread context only */
	587	static int interface_get_command(QXLInstance sin, struct QXLCommandExt ext)
	588	{
	589	PCIQXLDevice *qxl = container_of(sin, PCIQXLDevice, ssd.qxl);
	590	SimpleSpiceUpdate *update;
	591	QXLCommandRing *ring;
	592	QXLCommand *cmd;
	593	int notify, ret;
	594
	595	trace_qxl_ring_command_check(qxl->id, qxl_mode_to_string(qxl->mode));
	596
	597	switch (qxl->mode) {
	598	case QXL_MODE_VGA:
	599	ret = false;
	600	qemu_mutex_lock(&qxl->ssd.lock);
	601	update = QTAILQ_FIRST(&qxl->ssd.updates);
	602	if (update != NULL) {
	603	QTAILQ_REMOVE(&qxl->ssd.updates, update, next);
	604	*ext = update->ext;
	605	ret = true;
	606	}
	607	qemu_mutex_unlock(&qxl->ssd.lock);
	608	if (ret) {
	609	trace_qxl_ring_command_get(qxl->id, qxl_mode_to_string(qxl->mode));
	610	qxl_log_command(qxl, "vga", ext);
	611	}
	612	return ret;
	613	case QXL_MODE_COMPAT:
	614	case QXL_MODE_NATIVE:
	615	case QXL_MODE_UNDEFINED:
	616	ring = &qxl->ram->cmd_ring;
	617	if (qxl->guest_bug \|\| SPICE_RING_IS_EMPTY(ring)) {
	618	return false;
	619	}
	620	SPICE_RING_CONS_ITEM(qxl, ring, cmd);
	621	if (!cmd) {
	622	return false;
	623	}
	624	ext->cmd = *cmd;
	625	ext->group_id = MEMSLOT_GROUP_GUEST;
	626	ext->flags = qxl->cmdflags;
	627	SPICE_RING_POP(ring, notify);
	628	qxl_ring_set_dirty(qxl);
	629	if (notify) {
	630	qxl_send_events(qxl, QXL_INTERRUPT_DISPLAY);
	631	}
	632	qxl->guest_primary.commands++;
	633	qxl_track_command(qxl, ext);
	634	qxl_log_command(qxl, "cmd", ext);
	635	trace_qxl_ring_command_get(qxl->id, qxl_mode_to_string(qxl->mode));
	636	return true;
	637	default:
	638	return false;
	639	}
	640	}
	641
	642	/* called from spice server thread context only */
	643	static int interface_req_cmd_notification(QXLInstance *sin)
	644	{
	645	PCIQXLDevice *qxl = container_of(sin, PCIQXLDevice, ssd.qxl);
	646	int wait = 1;
	647
	648	trace_qxl_ring_command_req_notification(qxl->id);
	649	switch (qxl->mode) {
	650	case QXL_MODE_COMPAT:
	651	case QXL_MODE_NATIVE:
	652	case QXL_MODE_UNDEFINED:
	653	SPICE_RING_CONS_WAIT(&qxl->ram->cmd_ring, wait);
	654	qxl_ring_set_dirty(qxl);
	655	break;
	656	default:
	657	/* nothing */
	658	break;
	659	}
	660	return wait;
	661	}
	662
	663	/* called from spice server thread context only */
	664	static inline void qxl_push_free_res(PCIQXLDevice *d, int flush)
	665	{
	666	QXLReleaseRing *ring = &d->ram->release_ring;
	667	uint64_t *item;
	668	int notify;
	669
	670	#define QXL_FREE_BUNCH_SIZE 32
	671
	672	if (ring->prod - ring->cons + 1 == ring->num_items) {
	673	/* ring full -- can't push */
	674	return;
	675	}
	676	if (!flush && d->oom_running) {
	677	/* collect everything from oom handler before pushing */
	678	return;
	679	}
	680	if (!flush && d->num_free_res < QXL_FREE_BUNCH_SIZE) {
	681	/* collect a bit more before pushing */
	682	return;
	683	}
	684
	685	SPICE_RING_PUSH(ring, notify);
	686	trace_qxl_ring_res_push(d->id, qxl_mode_to_string(d->mode),
	687	d->guest_surfaces.count, d->num_free_res,
	688	d->last_release, notify ? "yes" : "no");
	689	trace_qxl_ring_res_push_rest(d->id, ring->prod - ring->cons,
	690	ring->num_items, ring->prod, ring->cons);
	691	if (notify) {
	692	qxl_send_events(d, QXL_INTERRUPT_DISPLAY);
	693	}
	694	SPICE_RING_PROD_ITEM(d, ring, item);
	695	if (!item) {
	696	return;
	697	}
	698	*item = 0;
	699	d->num_free_res = 0;
	700	d->last_release = NULL;
	701	qxl_ring_set_dirty(d);
	702	}
	703
	704	/* called from spice server thread context only */
	705	static void interface_release_resource(QXLInstance *sin,
	706	struct QXLReleaseInfoExt ext)
	707	{
	708	PCIQXLDevice *qxl = container_of(sin, PCIQXLDevice, ssd.qxl);
	709	QXLReleaseRing *ring;
	710	uint64_t *item, id;
	711
	712	if (ext.group_id == MEMSLOT_GROUP_HOST) {
	713	/* host group -> vga mode update request */
	714	qemu_spice_destroy_update(&qxl->ssd, (void *)(intptr_t)ext.info->id);
	715	return;
	716	}
	717
	718	/*
	719	* ext->info points into guest-visible memory
	720	* pci bar 0, $command.release_info
	721	*/
	722	ring = &qxl->ram->release_ring;
	723	SPICE_RING_PROD_ITEM(qxl, ring, item);
	724	if (!item) {
	725	return;
	726	}
	727	if (*item == 0) {
	728	/* stick head into the ring */
	729	id = ext.info->id;
	730	ext.info->next = 0;
	731	qxl_ram_set_dirty(qxl, &ext.info->next);
	732	*item = id;
	733	qxl_ring_set_dirty(qxl);
	734	} else {
	735	/* append item to the list */
	736	qxl->last_release->next = ext.info->id;
	737	qxl_ram_set_dirty(qxl, &qxl->last_release->next);
	738	ext.info->next = 0;
	739	qxl_ram_set_dirty(qxl, &ext.info->next);
	740	}
	741	qxl->last_release = ext.info;
	742	qxl->num_free_res++;
	743	trace_qxl_ring_res_put(qxl->id, qxl->num_free_res);
	744	qxl_push_free_res(qxl, 0);
	745	}
	746
	747	/* called from spice server thread context only */
	748	static int interface_get_cursor_command(QXLInstance sin, struct QXLCommandExt ext)
	749	{
	750	PCIQXLDevice *qxl = container_of(sin, PCIQXLDevice, ssd.qxl);
	751	QXLCursorRing *ring;
	752	QXLCommand *cmd;
	753	int notify;
	754
	755	trace_qxl_ring_cursor_check(qxl->id, qxl_mode_to_string(qxl->mode));
	756
	757	switch (qxl->mode) {
	758	case QXL_MODE_COMPAT:
	759	case QXL_MODE_NATIVE:
	760	case QXL_MODE_UNDEFINED:
	761	ring = &qxl->ram->cursor_ring;
	762	if (SPICE_RING_IS_EMPTY(ring)) {
	763	return false;
	764	}
	765	SPICE_RING_CONS_ITEM(qxl, ring, cmd);
	766	if (!cmd) {
	767	return false;
	768	}
	769	ext->cmd = *cmd;
	770	ext->group_id = MEMSLOT_GROUP_GUEST;
	771	ext->flags = qxl->cmdflags;
	772	SPICE_RING_POP(ring, notify);
	773	qxl_ring_set_dirty(qxl);
	774	if (notify) {
	775	qxl_send_events(qxl, QXL_INTERRUPT_CURSOR);
	776	}
	777	qxl->guest_primary.commands++;
	778	qxl_track_command(qxl, ext);
	779	qxl_log_command(qxl, "csr", ext);
	780	if (qxl->id == 0) {
	781	qxl_render_cursor(qxl, ext);
	782	}
	783	trace_qxl_ring_cursor_get(qxl->id, qxl_mode_to_string(qxl->mode));
	784	return true;
	785	default:
	786	return false;
	787	}
	788	}
	789
	790	/* called from spice server thread context only */
	791	static int interface_req_cursor_notification(QXLInstance *sin)
	792	{
	793	PCIQXLDevice *qxl = container_of(sin, PCIQXLDevice, ssd.qxl);
	794	int wait = 1;
	795
	796	trace_qxl_ring_cursor_req_notification(qxl->id);
	797	switch (qxl->mode) {
	798	case QXL_MODE_COMPAT:
	799	case QXL_MODE_NATIVE:
	800	case QXL_MODE_UNDEFINED:
	801	SPICE_RING_CONS_WAIT(&qxl->ram->cursor_ring, wait);
	802	qxl_ring_set_dirty(qxl);
	803	break;
	804	default:
	805	/* nothing */
	806	break;
	807	}
	808	return wait;
	809	}
	810
	811	/* called from spice server thread context */
	812	static void interface_notify_update(QXLInstance *sin, uint32_t update_id)
	813	{
	814	/*
	815	* Called by spice-server as a result of a QXL_CMD_UPDATE which is not in
	816	* use by xf86-video-qxl and is defined out in the qxl windows driver.
	817	* Probably was at some earlier version that is prior to git start (2009),
	818	* and is still guest trigerrable.
	819	*/
	820	fprintf(stderr, "%s: deprecated\n", __func__);
	821	}
	822
	823	/* called from spice server thread context only */
	824	static int interface_flush_resources(QXLInstance *sin)
	825	{
	826	PCIQXLDevice *qxl = container_of(sin, PCIQXLDevice, ssd.qxl);
	827	int ret;
	828
	829	ret = qxl->num_free_res;
	830	if (ret) {
	831	qxl_push_free_res(qxl, 1);
	832	}
	833	return ret;
	834	}
	835
	836	static void qxl_create_guest_primary_complete(PCIQXLDevice *d);
	837
	838	/* called from spice server thread context only */
	839	static void interface_async_complete_io(PCIQXLDevice qxl, QXLCookie cookie)
	840	{
	841	uint32_t current_async;
	842
	843	qemu_mutex_lock(&qxl->async_lock);
	844	current_async = qxl->current_async;
	845	qxl->current_async = QXL_UNDEFINED_IO;
	846	qemu_mutex_unlock(&qxl->async_lock);
	847
	848	trace_qxl_interface_async_complete_io(qxl->id, current_async, cookie);
	849	if (!cookie) {
	850	fprintf(stderr, "qxl: %s: error, cookie is NULL\n", __func__);
	851	return;
	852	}
	853	if (cookie && current_async != cookie->io) {
	854	fprintf(stderr,
	855	"qxl: %s: error: current_async = %d != %"
	856	PRId64 " = cookie->io\n", __func__, current_async, cookie->io);
	857	}
	858	switch (current_async) {
	859	case QXL_IO_MEMSLOT_ADD_ASYNC:
	860	case QXL_IO_DESTROY_PRIMARY_ASYNC:
	861	case QXL_IO_UPDATE_AREA_ASYNC:
	862	case QXL_IO_FLUSH_SURFACES_ASYNC:
	863	case QXL_IO_MONITORS_CONFIG_ASYNC:
	864	break;
	865	case QXL_IO_CREATE_PRIMARY_ASYNC:
	866	qxl_create_guest_primary_complete(qxl);
	867	break;
	868	case QXL_IO_DESTROY_ALL_SURFACES_ASYNC:
	869	qxl_spice_destroy_surfaces_complete(qxl);
	870	break;
	871	case QXL_IO_DESTROY_SURFACE_ASYNC:
	872	qxl_spice_destroy_surface_wait_complete(qxl, cookie->u.surface_id);
	873	break;
	874	default:
	875	fprintf(stderr, "qxl: %s: unexpected current_async %d\n", __func__,
	876	current_async);
	877	}
	878	qxl_send_events(qxl, QXL_INTERRUPT_IO_CMD);
	879	}
	880
	881	/* called from spice server thread context only */
	882	static void interface_update_area_complete(QXLInstance *sin,
	883	uint32_t surface_id,
	884	QXLRect *dirty, uint32_t num_updated_rects)
	885	{
	886	PCIQXLDevice *qxl = container_of(sin, PCIQXLDevice, ssd.qxl);
	887	int i;
	888	int qxl_i;
	889
	890	qemu_mutex_lock(&qxl->ssd.lock);
	891	if (surface_id != 0 \|\| !qxl->render_update_cookie_num) {
	892	qemu_mutex_unlock(&qxl->ssd.lock);
	893	return;
	894	}
	895	trace_qxl_interface_update_area_complete(qxl->id, surface_id, dirty->left,
	896	dirty->right, dirty->top, dirty->bottom);
	897	trace_qxl_interface_update_area_complete_rest(qxl->id, num_updated_rects);
	898	if (qxl->num_dirty_rects + num_updated_rects > QXL_NUM_DIRTY_RECTS) {
	899	/*
	900	* overflow - treat this as a full update. Not expected to be common.
	901	*/
	902	trace_qxl_interface_update_area_complete_overflow(qxl->id,
	903	QXL_NUM_DIRTY_RECTS);
	904	qxl->guest_primary.resized = 1;
	905	}
	906	if (qxl->guest_primary.resized) {
	907	/*
	908	* Don't bother copying or scheduling the bh since we will flip
	909	* the whole area anyway on completion of the update_area async call
	910	*/
	911	qemu_mutex_unlock(&qxl->ssd.lock);
	912	return;
	913	}
	914	qxl_i = qxl->num_dirty_rects;
	915	for (i = 0; i < num_updated_rects; i++) {
	916	qxl->dirty[qxl_i++] = dirty[i];
	917	}
	918	qxl->num_dirty_rects += num_updated_rects;
	919	trace_qxl_interface_update_area_complete_schedule_bh(qxl->id,
	920	qxl->num_dirty_rects);
	921	qemu_bh_schedule(qxl->update_area_bh);
	922	qemu_mutex_unlock(&qxl->ssd.lock);
	923	}
	924
	925	/* called from spice server thread context only */
	926	static void interface_async_complete(QXLInstance *sin, uint64_t cookie_token)
	927	{
	928	PCIQXLDevice *qxl = container_of(sin, PCIQXLDevice, ssd.qxl);
	929	QXLCookie cookie = (QXLCookie )(uintptr_t)cookie_token;
	930
	931	switch (cookie->type) {
	932	case QXL_COOKIE_TYPE_IO:
	933	interface_async_complete_io(qxl, cookie);
	934	g_free(cookie);
	935	break;
	936	case QXL_COOKIE_TYPE_RENDER_UPDATE_AREA:
	937	qxl_render_update_area_done(qxl, cookie);
	938	break;
	939	case QXL_COOKIE_TYPE_POST_LOAD_MONITORS_CONFIG:
	940	break;
	941	default:
	942	fprintf(stderr, "qxl: %s: unexpected cookie type %d\n",
	943	__func__, cookie->type);
	944	g_free(cookie);
	945	}
	946	}
	947
	948	/* called from spice server thread context only */
	949	static void interface_set_client_capabilities(QXLInstance *sin,
	950	uint8_t client_present,
	951	uint8_t caps[58])
	952	{
	953	PCIQXLDevice *qxl = container_of(sin, PCIQXLDevice, ssd.qxl);
	954
	955	if (qxl->revision < 4) {
	956	trace_qxl_set_client_capabilities_unsupported_by_revision(qxl->id,
	957	qxl->revision);
	958	return;
	959	}
	960
	961	if (runstate_check(RUN_STATE_INMIGRATE) \|\|
	962	runstate_check(RUN_STATE_POSTMIGRATE)) {
	963	return;
	964	}
	965
	966	qxl->shadow_rom.client_present = client_present;
	967	memcpy(qxl->shadow_rom.client_capabilities, caps,
	968	sizeof(qxl->shadow_rom.client_capabilities));
	969	qxl->rom->client_present = client_present;
	970	memcpy(qxl->rom->client_capabilities, caps,
	971	sizeof(qxl->rom->client_capabilities));
	972	qxl_rom_set_dirty(qxl);
	973
	974	qxl_send_events(qxl, QXL_INTERRUPT_CLIENT);
	975	}
	976
	977	static uint32_t qxl_crc32(const uint8_t *p, unsigned len)
	978	{
	979	/*
	980	* zlib xors the seed with 0xffffffff, and xors the result
	981	* again with 0xffffffff; Both are not done with linux's crc32,
	982	* which we want to be compatible with, so undo that.
	983	*/
	984	return crc32(0xffffffff, p, len) ^ 0xffffffff;
	985	}
	986
	987	/* called from main context only */
	988	static int interface_client_monitors_config(QXLInstance *sin,
	989	VDAgentMonitorsConfig *monitors_config)
	990	{
	991	PCIQXLDevice *qxl = container_of(sin, PCIQXLDevice, ssd.qxl);
	992	QXLRom *rom = memory_region_get_ram_ptr(&qxl->rom_bar);
	993	int i;
	994
	995	if (qxl->revision < 4) {
	996	trace_qxl_client_monitors_config_unsupported_by_device(qxl->id,
	997	qxl->revision);
	998	return 0;
	999	}
	1000	/*
	1001	* Older windows drivers set int_mask to 0 when their ISR is called,
	1002	* then later set it to ~0. So it doesn't relate to the actual interrupts
	1003	* handled. However, they are old, so clearly they don't support this
	1004	* interrupt
	1005	*/
	1006	if (qxl->ram->int_mask == 0 \|\| qxl->ram->int_mask == ~0 \|\|
	1007	!(qxl->ram->int_mask & QXL_INTERRUPT_CLIENT_MONITORS_CONFIG)) {
	1008	trace_qxl_client_monitors_config_unsupported_by_guest(qxl->id,
	1009	qxl->ram->int_mask,
	1010	monitors_config);
	1011	return 0;
	1012	}
	1013	if (!monitors_config) {
	1014	return 1;
	1015	}
	1016	memset(&rom->client_monitors_config, 0,
	1017	sizeof(rom->client_monitors_config));
	1018	rom->client_monitors_config.count = monitors_config->num_of_monitors;
	1019	/* monitors_config->flags ignored */
	1020	if (rom->client_monitors_config.count >=
	1021	ARRAY_SIZE(rom->client_monitors_config.heads)) {
	1022	trace_qxl_client_monitors_config_capped(qxl->id,
	1023	monitors_config->num_of_monitors,
	1024	ARRAY_SIZE(rom->client_monitors_config.heads));
	1025	rom->client_monitors_config.count =
	1026	ARRAY_SIZE(rom->client_monitors_config.heads);
	1027	}
	1028	for (i = 0 ; i < rom->client_monitors_config.count ; ++i) {
	1029	VDAgentMonConfig *monitor = &monitors_config->monitors[i];
	1030	QXLURect *rect = &rom->client_monitors_config.heads[i];
	1031	/* monitor->depth ignored */
	1032	rect->left = monitor->x;
	1033	rect->top = monitor->y;
	1034	rect->right = monitor->x + monitor->width;
	1035	rect->bottom = monitor->y + monitor->height;
	1036	}
	1037	rom->client_monitors_config_crc = qxl_crc32(
	1038	(const uint8_t *)&rom->client_monitors_config,
	1039	sizeof(rom->client_monitors_config));
	1040	trace_qxl_client_monitors_config_crc(qxl->id,
	1041	sizeof(rom->client_monitors_config),
	1042	rom->client_monitors_config_crc);
	1043
	1044	trace_qxl_interrupt_client_monitors_config(qxl->id,
	1045	rom->client_monitors_config.count,
	1046	rom->client_monitors_config.heads);
	1047	qxl_send_events(qxl, QXL_INTERRUPT_CLIENT_MONITORS_CONFIG);
	1048	return 1;
	1049	}
	1050
	1051	static const QXLInterface qxl_interface = {
	1052	.base.type = SPICE_INTERFACE_QXL,
	1053	.base.description = "qxl gpu",
	1054	.base.major_version = SPICE_INTERFACE_QXL_MAJOR,
	1055	.base.minor_version = SPICE_INTERFACE_QXL_MINOR,
	1056
	1057	.attache_worker = interface_attach_worker,
	1058	.set_compression_level = interface_set_compression_level,
	1059	.set_mm_time = interface_set_mm_time,
	1060	.get_init_info = interface_get_init_info,
	1061
	1062	/* the callbacks below are called from spice server thread context */
	1063	.get_command = interface_get_command,
	1064	.req_cmd_notification = interface_req_cmd_notification,
	1065	.release_resource = interface_release_resource,
	1066	.get_cursor_command = interface_get_cursor_command,
	1067	.req_cursor_notification = interface_req_cursor_notification,
	1068	.notify_update = interface_notify_update,
	1069	.flush_resources = interface_flush_resources,
	1070	.async_complete = interface_async_complete,
	1071	.update_area_complete = interface_update_area_complete,
	1072	.set_client_capabilities = interface_set_client_capabilities,
	1073	.client_monitors_config = interface_client_monitors_config,
	1074	};
	1075
	1076	static void qxl_enter_vga_mode(PCIQXLDevice *d)
	1077	{
	1078	if (d->mode == QXL_MODE_VGA) {
	1079	return;
	1080	}
	1081	trace_qxl_enter_vga_mode(d->id);
	1082	#if SPICE_SERVER_VERSION >= 0x000c03 /* release 0.12.3 */
	1083	spice_qxl_driver_unload(&d->ssd.qxl);
	1084	#endif
	1085	qemu_spice_create_host_primary(&d->ssd);
	1086	d->mode = QXL_MODE_VGA;
	1087	vga_dirty_log_start(&d->vga);
	1088	graphic_hw_update(d->vga.con);
	1089	}
	1090
	1091	static void qxl_exit_vga_mode(PCIQXLDevice *d)
	1092	{
	1093	if (d->mode != QXL_MODE_VGA) {
	1094	return;
	1095	}
	1096	trace_qxl_exit_vga_mode(d->id);
	1097	vga_dirty_log_stop(&d->vga);
	1098	qxl_destroy_primary(d, QXL_SYNC);
	1099	}
	1100
	1101	static void qxl_update_irq(PCIQXLDevice *d)
	1102	{
	1103	uint32_t pending = le32_to_cpu(d->ram->int_pending);
	1104	uint32_t mask = le32_to_cpu(d->ram->int_mask);
	1105	int level = !!(pending & mask);
	1106	qemu_set_irq(d->pci.irq[0], level);
	1107	qxl_ring_set_dirty(d);
	1108	}
	1109
	1110	static void qxl_check_state(PCIQXLDevice *d)
	1111	{
	1112	QXLRam *ram = d->ram;
	1113	int spice_display_running = qemu_spice_display_is_running(&d->ssd);
	1114
	1115	assert(!spice_display_running \|\| SPICE_RING_IS_EMPTY(&ram->cmd_ring));
	1116	assert(!spice_display_running \|\| SPICE_RING_IS_EMPTY(&ram->cursor_ring));
	1117	}
	1118
	1119	static void qxl_reset_state(PCIQXLDevice *d)
	1120	{
	1121	QXLRom *rom = d->rom;
	1122
	1123	qxl_check_state(d);
	1124	d->shadow_rom.update_id = cpu_to_le32(0);
	1125	*rom = d->shadow_rom;
	1126	qxl_rom_set_dirty(d);
	1127	init_qxl_ram(d);
	1128	d->num_free_res = 0;
	1129	d->last_release = NULL;
	1130	memset(&d->ssd.dirty, 0, sizeof(d->ssd.dirty));
	1131	}
	1132
	1133	static void qxl_soft_reset(PCIQXLDevice *d)
	1134	{
	1135	trace_qxl_soft_reset(d->id);
	1136	qxl_check_state(d);
	1137	qxl_clear_guest_bug(d);
	1138	d->current_async = QXL_UNDEFINED_IO;
	1139
	1140	if (d->id == 0) {
	1141	qxl_enter_vga_mode(d);
	1142	} else {
	1143	d->mode = QXL_MODE_UNDEFINED;
	1144	}
	1145	}
	1146
	1147	static void qxl_hard_reset(PCIQXLDevice *d, int loadvm)
	1148	{
	1149	trace_qxl_hard_reset(d->id, loadvm);
	1150
	1151	qxl_spice_reset_cursor(d);
	1152	qxl_spice_reset_image_cache(d);
	1153	qxl_reset_surfaces(d);
	1154	qxl_reset_memslots(d);
	1155
	1156	/* pre loadvm reset must not touch QXLRam. This lives in
	1157	* device memory, is migrated together with RAM and thus
	1158	* already loaded at this point */
	1159	if (!loadvm) {
	1160	qxl_reset_state(d);
	1161	}
	1162	qemu_spice_create_host_memslot(&d->ssd);
	1163	qxl_soft_reset(d);
	1164	}
	1165
	1166	static void qxl_reset_handler(DeviceState *dev)
	1167	{
	1168	PCIQXLDevice *d = DO_UPCAST(PCIQXLDevice, pci.qdev, dev);
	1169
	1170	qxl_hard_reset(d, 0);
	1171	}
	1172
	1173	static void qxl_vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
	1174	{
	1175	VGACommonState *vga = opaque;
	1176	PCIQXLDevice *qxl = container_of(vga, PCIQXLDevice, vga);
	1177
	1178	trace_qxl_io_write_vga(qxl->id, qxl_mode_to_string(qxl->mode), addr, val);
	1179	if (qxl->mode != QXL_MODE_VGA) {
	1180	qxl_destroy_primary(qxl, QXL_SYNC);
	1181	qxl_soft_reset(qxl);
	1182	}
	1183	vga_ioport_write(opaque, addr, val);
	1184	}
	1185
	1186	static const MemoryRegionPortio qxl_vga_portio_list[] = {
	1187	{ 0x04, 2, 1, .read = vga_ioport_read,
	1188	.write = qxl_vga_ioport_write }, /* 3b4 */
	1189	{ 0x0a, 1, 1, .read = vga_ioport_read,
	1190	.write = qxl_vga_ioport_write }, /* 3ba */
	1191	{ 0x10, 16, 1, .read = vga_ioport_read,
	1192	.write = qxl_vga_ioport_write }, /* 3c0 */
	1193	{ 0x24, 2, 1, .read = vga_ioport_read,
	1194	.write = qxl_vga_ioport_write }, /* 3d4 */
	1195	{ 0x2a, 1, 1, .read = vga_ioport_read,
	1196	.write = qxl_vga_ioport_write }, /* 3da */
	1197	PORTIO_END_OF_LIST(),
	1198	};
	1199
	1200	static int qxl_add_memslot(PCIQXLDevice *d, uint32_t slot_id, uint64_t delta,
	1201	qxl_async_io async)
	1202	{
	1203	static const int regions[] = {
	1204	QXL_RAM_RANGE_INDEX,
	1205	QXL_VRAM_RANGE_INDEX,
	1206	QXL_VRAM64_RANGE_INDEX,
	1207	};
	1208	uint64_t guest_start;
	1209	uint64_t guest_end;
	1210	int pci_region;
	1211	pcibus_t pci_start;
	1212	pcibus_t pci_end;
	1213	intptr_t virt_start;
	1214	QXLDevMemSlot memslot;
	1215	int i;
	1216
	1217	guest_start = le64_to_cpu(d->guest_slots[slot_id].slot.mem_start);
	1218	guest_end = le64_to_cpu(d->guest_slots[slot_id].slot.mem_end);
	1219
	1220	trace_qxl_memslot_add_guest(d->id, slot_id, guest_start, guest_end);
	1221
	1222	if (slot_id >= NUM_MEMSLOTS) {
	1223	qxl_set_guest_bug(d, "%s: slot_id >= NUM_MEMSLOTS %d >= %d", __func__,
	1224	slot_id, NUM_MEMSLOTS);
	1225	return 1;
	1226	}
	1227	if (guest_start > guest_end) {
	1228	qxl_set_guest_bug(d, "%s: guest_start > guest_end 0x%" PRIx64
	1229	" > 0x%" PRIx64, __func__, guest_start, guest_end);
	1230	return 1;
	1231	}
	1232
	1233	for (i = 0; i < ARRAY_SIZE(regions); i++) {
	1234	pci_region = regions[i];
	1235	pci_start = d->pci.io_regions[pci_region].addr;
	1236	pci_end = pci_start + d->pci.io_regions[pci_region].size;
	1237	/* mapped? */
	1238	if (pci_start == -1) {
	1239	continue;
	1240	}
	1241	/* start address in range ? */
	1242	if (guest_start < pci_start \|\| guest_start > pci_end) {
	1243	continue;
	1244	}
	1245	/* end address in range ? */
	1246	if (guest_end > pci_end) {
	1247	continue;
	1248	}
	1249	/* passed */
	1250	break;
	1251	}
	1252	if (i == ARRAY_SIZE(regions)) {
	1253	qxl_set_guest_bug(d, "%s: finished loop without match", __func__);
	1254	return 1;
	1255	}
	1256
	1257	switch (pci_region) {
	1258	case QXL_RAM_RANGE_INDEX:
	1259	virt_start = (intptr_t)memory_region_get_ram_ptr(&d->vga.vram);
	1260	break;
	1261	case QXL_VRAM_RANGE_INDEX:
	1262	case 4 /* vram 64bit */:
	1263	virt_start = (intptr_t)memory_region_get_ram_ptr(&d->vram_bar);
	1264	break;
	1265	default:
	1266	/* should not happen */
	1267	qxl_set_guest_bug(d, "%s: pci_region = %d", __func__, pci_region);
	1268	return 1;
	1269	}
	1270
	1271	memslot.slot_id = slot_id;
	1272	memslot.slot_group_id = MEMSLOT_GROUP_GUEST; /* guest group */
	1273	memslot.virt_start = virt_start + (guest_start - pci_start);
	1274	memslot.virt_end = virt_start + (guest_end - pci_start);
	1275	memslot.addr_delta = memslot.virt_start - delta;
	1276	memslot.generation = d->rom->slot_generation = 0;
	1277	qxl_rom_set_dirty(d);
	1278
	1279	qemu_spice_add_memslot(&d->ssd, &memslot, async);
	1280	d->guest_slots[slot_id].ptr = (void*)memslot.virt_start;
	1281	d->guest_slots[slot_id].size = memslot.virt_end - memslot.virt_start;
	1282	d->guest_slots[slot_id].delta = delta;
	1283	d->guest_slots[slot_id].active = 1;
	1284	return 0;
	1285	}
	1286
	1287	static void qxl_del_memslot(PCIQXLDevice *d, uint32_t slot_id)
	1288	{
	1289	qemu_spice_del_memslot(&d->ssd, MEMSLOT_GROUP_HOST, slot_id);
	1290	d->guest_slots[slot_id].active = 0;
	1291	}
	1292
	1293	static void qxl_reset_memslots(PCIQXLDevice *d)
	1294	{
	1295	qxl_spice_reset_memslots(d);
	1296	memset(&d->guest_slots, 0, sizeof(d->guest_slots));
	1297	}
	1298
	1299	static void qxl_reset_surfaces(PCIQXLDevice *d)
	1300	{
	1301	trace_qxl_reset_surfaces(d->id);
	1302	d->mode = QXL_MODE_UNDEFINED;
	1303	qxl_spice_destroy_surfaces(d, QXL_SYNC);
	1304	}
	1305
	1306	/* can be also called from spice server thread context */
	1307	void qxl_phys2virt(PCIQXLDevice qxl, QXLPHYSICAL pqxl, int group_id)
	1308	{
	1309	uint64_t phys = le64_to_cpu(pqxl);
	1310	uint32_t slot = (phys >> (64 - 8)) & 0xff;
	1311	uint64_t offset = phys & 0xffffffffffff;
	1312
	1313	switch (group_id) {
	1314	case MEMSLOT_GROUP_HOST:
	1315	return (void *)(intptr_t)offset;
	1316	case MEMSLOT_GROUP_GUEST:
	1317	if (slot >= NUM_MEMSLOTS) {
	1318	qxl_set_guest_bug(qxl, "slot too large %d >= %d", slot,
	1319	NUM_MEMSLOTS);
	1320	return NULL;
	1321	}
	1322	if (!qxl->guest_slots[slot].active) {
	1323	qxl_set_guest_bug(qxl, "inactive slot %d\n", slot);
	1324	return NULL;
	1325	}
	1326	if (offset < qxl->guest_slots[slot].delta) {
	1327	qxl_set_guest_bug(qxl,
	1328	"slot %d offset %"PRIu64" < delta %"PRIu64"\n",
	1329	slot, offset, qxl->guest_slots[slot].delta);
	1330	return NULL;
	1331	}
	1332	offset -= qxl->guest_slots[slot].delta;
	1333	if (offset > qxl->guest_slots[slot].size) {
	1334	qxl_set_guest_bug(qxl,
	1335	"slot %d offset %"PRIu64" > size %"PRIu64"\n",
	1336	slot, offset, qxl->guest_slots[slot].size);
	1337	return NULL;
	1338	}
	1339	return qxl->guest_slots[slot].ptr + offset;
	1340	}
	1341	return NULL;
	1342	}
	1343
	1344	static void qxl_create_guest_primary_complete(PCIQXLDevice *qxl)
	1345	{
	1346	/* for local rendering */
	1347	qxl_render_resize(qxl);
	1348	}
	1349
	1350	static void qxl_create_guest_primary(PCIQXLDevice *qxl, int loadvm,
	1351	qxl_async_io async)
	1352	{
	1353	QXLDevSurfaceCreate surface;
	1354	QXLSurfaceCreate *sc = &qxl->guest_primary.surface;
	1355	int size;
	1356	int requested_height = le32_to_cpu(sc->height);
	1357	int requested_stride = le32_to_cpu(sc->stride);
	1358
	1359	size = abs(requested_stride) * requested_height;
	1360	if (size > qxl->vgamem_size) {
	1361	qxl_set_guest_bug(qxl, "%s: requested primary larger then framebuffer"
	1362	" size", __func__);
	1363	return;
	1364	}
	1365
	1366	if (qxl->mode == QXL_MODE_NATIVE) {
	1367	qxl_set_guest_bug(qxl, "%s: nop since already in QXL_MODE_NATIVE",
	1368	__func__);
	1369	}
	1370	qxl_exit_vga_mode(qxl);
	1371
	1372	surface.format = le32_to_cpu(sc->format);
	1373	surface.height = le32_to_cpu(sc->height);
	1374	surface.mem = le64_to_cpu(sc->mem);
	1375	surface.position = le32_to_cpu(sc->position);
	1376	surface.stride = le32_to_cpu(sc->stride);
	1377	surface.width = le32_to_cpu(sc->width);
	1378	surface.type = le32_to_cpu(sc->type);
	1379	surface.flags = le32_to_cpu(sc->flags);
	1380	trace_qxl_create_guest_primary(qxl->id, sc->width, sc->height, sc->mem,
	1381	sc->format, sc->position);
	1382	trace_qxl_create_guest_primary_rest(qxl->id, sc->stride, sc->type,
	1383	sc->flags);
	1384
	1385	if ((surface.stride & 0x3) != 0) {
	1386	qxl_set_guest_bug(qxl, "primary surface stride = %d %% 4 != 0",
	1387	surface.stride);
	1388	return;
	1389	}
	1390
	1391	surface.mouse_mode = true;
	1392	surface.group_id = MEMSLOT_GROUP_GUEST;
	1393	if (loadvm) {
	1394	surface.flags \|= QXL_SURF_FLAG_KEEP_DATA;
	1395	}
	1396
	1397	qxl->mode = QXL_MODE_NATIVE;
	1398	qxl->cmdflags = 0;
	1399	qemu_spice_create_primary_surface(&qxl->ssd, 0, &surface, async);
	1400
	1401	if (async == QXL_SYNC) {
	1402	qxl_create_guest_primary_complete(qxl);
	1403	}
	1404	}
	1405
	1406	/* return 1 if surface destoy was initiated (in QXL_ASYNC case) or
	1407	* done (in QXL_SYNC case), 0 otherwise. */
	1408	static int qxl_destroy_primary(PCIQXLDevice *d, qxl_async_io async)
	1409	{
	1410	if (d->mode == QXL_MODE_UNDEFINED) {
	1411	return 0;
	1412	}
	1413	trace_qxl_destroy_primary(d->id);
	1414	d->mode = QXL_MODE_UNDEFINED;
	1415	qemu_spice_destroy_primary_surface(&d->ssd, 0, async);
	1416	qxl_spice_reset_cursor(d);
	1417	return 1;
	1418	}
	1419
	1420	static void qxl_set_mode(PCIQXLDevice *d, int modenr, int loadvm)
	1421	{
	1422	pcibus_t start = d->pci.io_regions[QXL_RAM_RANGE_INDEX].addr;
	1423	pcibus_t end = d->pci.io_regions[QXL_RAM_RANGE_INDEX].size + start;
	1424	QXLMode *mode = d->modes->modes + modenr;
	1425	uint64_t devmem = d->pci.io_regions[QXL_RAM_RANGE_INDEX].addr;
	1426	QXLMemSlot slot = {
	1427	.mem_start = start,
	1428	.mem_end = end
	1429	};
	1430	QXLSurfaceCreate surface = {
	1431	.width = mode->x_res,
	1432	.height = mode->y_res,
	1433	.stride = -mode->x_res * 4,
	1434	.format = SPICE_SURFACE_FMT_32_xRGB,
	1435	.flags = loadvm ? QXL_SURF_FLAG_KEEP_DATA : 0,
	1436	.mouse_mode = true,
	1437	.mem = devmem + d->shadow_rom.draw_area_offset,
	1438	};
	1439
	1440	trace_qxl_set_mode(d->id, modenr, mode->x_res, mode->y_res, mode->bits,
	1441	devmem);
	1442	if (!loadvm) {
	1443	qxl_hard_reset(d, 0);
	1444	}
	1445
	1446	d->guest_slots[0].slot = slot;
	1447	assert(qxl_add_memslot(d, 0, devmem, QXL_SYNC) == 0);
	1448
	1449	d->guest_primary.surface = surface;
	1450	qxl_create_guest_primary(d, 0, QXL_SYNC);
	1451
	1452	d->mode = QXL_MODE_COMPAT;
	1453	d->cmdflags = QXL_COMMAND_FLAG_COMPAT;
	1454	if (mode->bits == 16) {
	1455	d->cmdflags \|= QXL_COMMAND_FLAG_COMPAT_16BPP;
	1456	}
	1457	d->shadow_rom.mode = cpu_to_le32(modenr);
	1458	d->rom->mode = cpu_to_le32(modenr);
	1459	qxl_rom_set_dirty(d);
	1460	}
	1461
	1462	static void ioport_write(void *opaque, hwaddr addr,
	1463	uint64_t val, unsigned size)
	1464	{
	1465	PCIQXLDevice *d = opaque;
	1466	uint32_t io_port = addr;
	1467	qxl_async_io async = QXL_SYNC;
	1468	uint32_t orig_io_port = io_port;
	1469
	1470	if (d->guest_bug && io_port != QXL_IO_RESET) {
	1471	return;
	1472	}
	1473
	1474	if (d->revision <= QXL_REVISION_STABLE_V10 &&
	1475	io_port > QXL_IO_FLUSH_RELEASE) {
	1476	qxl_set_guest_bug(d, "unsupported io %d for revision %d\n",
	1477	io_port, d->revision);
	1478	return;
	1479	}
	1480
	1481	switch (io_port) {
	1482	case QXL_IO_RESET:
	1483	case QXL_IO_SET_MODE:
	1484	case QXL_IO_MEMSLOT_ADD:
	1485	case QXL_IO_MEMSLOT_DEL:
	1486	case QXL_IO_CREATE_PRIMARY:
	1487	case QXL_IO_UPDATE_IRQ:
	1488	case QXL_IO_LOG:
	1489	case QXL_IO_MEMSLOT_ADD_ASYNC:
	1490	case QXL_IO_CREATE_PRIMARY_ASYNC:
	1491	break;
	1492	default:
	1493	if (d->mode != QXL_MODE_VGA) {
	1494	break;
	1495	}
	1496	trace_qxl_io_unexpected_vga_mode(d->id,
	1497	addr, val, io_port_to_string(io_port));
	1498	/* be nice to buggy guest drivers */
	1499	if (io_port >= QXL_IO_UPDATE_AREA_ASYNC &&
	1500	io_port < QXL_IO_RANGE_SIZE) {
	1501	qxl_send_events(d, QXL_INTERRUPT_IO_CMD);
	1502	}
	1503	return;
	1504	}
	1505
	1506	/* we change the io_port to avoid ifdeffery in the main switch */
	1507	orig_io_port = io_port;
	1508	switch (io_port) {
	1509	case QXL_IO_UPDATE_AREA_ASYNC:
	1510	io_port = QXL_IO_UPDATE_AREA;
	1511	goto async_common;
	1512	case QXL_IO_MEMSLOT_ADD_ASYNC:
	1513	io_port = QXL_IO_MEMSLOT_ADD;
	1514	goto async_common;
	1515	case QXL_IO_CREATE_PRIMARY_ASYNC:
	1516	io_port = QXL_IO_CREATE_PRIMARY;
	1517	goto async_common;
	1518	case QXL_IO_DESTROY_PRIMARY_ASYNC:
	1519	io_port = QXL_IO_DESTROY_PRIMARY;
	1520	goto async_common;
	1521	case QXL_IO_DESTROY_SURFACE_ASYNC:
	1522	io_port = QXL_IO_DESTROY_SURFACE_WAIT;
	1523	goto async_common;
	1524	case QXL_IO_DESTROY_ALL_SURFACES_ASYNC:
	1525	io_port = QXL_IO_DESTROY_ALL_SURFACES;
	1526	goto async_common;
	1527	case QXL_IO_FLUSH_SURFACES_ASYNC:
	1528	case QXL_IO_MONITORS_CONFIG_ASYNC:
	1529	async_common:
	1530	async = QXL_ASYNC;
	1531	qemu_mutex_lock(&d->async_lock);
	1532	if (d->current_async != QXL_UNDEFINED_IO) {
	1533	qxl_set_guest_bug(d, "%d async started before last (%d) complete",
	1534	io_port, d->current_async);
	1535	qemu_mutex_unlock(&d->async_lock);
	1536	return;
	1537	}
	1538	d->current_async = orig_io_port;
	1539	qemu_mutex_unlock(&d->async_lock);
	1540	break;
	1541	default:
	1542	break;
	1543	}
	1544	trace_qxl_io_write(d->id, qxl_mode_to_string(d->mode), addr, val, size,
	1545	async);
	1546
	1547	switch (io_port) {
	1548	case QXL_IO_UPDATE_AREA:
	1549	{
	1550	QXLCookie *cookie = NULL;
	1551	QXLRect update = d->ram->update_area;
	1552
	1553	if (d->ram->update_surface > d->ssd.num_surfaces) {
	1554	qxl_set_guest_bug(d, "QXL_IO_UPDATE_AREA: invalid surface id %d\n",
	1555	d->ram->update_surface);
	1556	break;
	1557	}
	1558	if (update.left >= update.right \|\| update.top >= update.bottom \|\|
	1559	update.left < 0 \|\| update.top < 0) {
	1560	qxl_set_guest_bug(d,
	1561	"QXL_IO_UPDATE_AREA: invalid area (%ux%u)x(%ux%u)\n",
	1562	update.left, update.top, update.right, update.bottom);
	1563	break;
	1564	}
	1565	if (async == QXL_ASYNC) {
	1566	cookie = qxl_cookie_new(QXL_COOKIE_TYPE_IO,
	1567	QXL_IO_UPDATE_AREA_ASYNC);
	1568	cookie->u.area = update;
	1569	}
	1570	qxl_spice_update_area(d, d->ram->update_surface,
	1571	cookie ? &cookie->u.area : &update,
	1572	NULL, 0, 0, async, cookie);
	1573	break;
	1574	}
	1575	case QXL_IO_NOTIFY_CMD:
	1576	qemu_spice_wakeup(&d->ssd);
	1577	break;
	1578	case QXL_IO_NOTIFY_CURSOR:
	1579	qemu_spice_wakeup(&d->ssd);
	1580	break;
	1581	case QXL_IO_UPDATE_IRQ:
	1582	qxl_update_irq(d);
	1583	break;
	1584	case QXL_IO_NOTIFY_OOM:
	1585	if (!SPICE_RING_IS_EMPTY(&d->ram->release_ring)) {
	1586	break;
	1587	}
	1588	d->oom_running = 1;
	1589	qxl_spice_oom(d);
	1590	d->oom_running = 0;
	1591	break;
	1592	case QXL_IO_SET_MODE:
	1593	qxl_set_mode(d, val, 0);
	1594	break;
	1595	case QXL_IO_LOG:
	1596	trace_qxl_io_log(d->id, d->ram->log_buf);
	1597	if (d->guestdebug) {
	1598	fprintf(stderr, "qxl/guest-%d: %" PRId64 ": %s", d->id,
	1599	qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL), d->ram->log_buf);
	1600	}
	1601	break;
	1602	case QXL_IO_RESET:
	1603	qxl_hard_reset(d, 0);
	1604	break;
	1605	case QXL_IO_MEMSLOT_ADD:
	1606	if (val >= NUM_MEMSLOTS) {
	1607	qxl_set_guest_bug(d, "QXL_IO_MEMSLOT_ADD: val out of range");
	1608	break;
	1609	}
	1610	if (d->guest_slots[val].active) {
	1611	qxl_set_guest_bug(d,
	1612	"QXL_IO_MEMSLOT_ADD: memory slot already active");
	1613	break;
	1614	}
	1615	d->guest_slots[val].slot = d->ram->mem_slot;
	1616	qxl_add_memslot(d, val, 0, async);
	1617	break;
	1618	case QXL_IO_MEMSLOT_DEL:
	1619	if (val >= NUM_MEMSLOTS) {
	1620	qxl_set_guest_bug(d, "QXL_IO_MEMSLOT_DEL: val out of range");
	1621	break;
	1622	}
	1623	qxl_del_memslot(d, val);
	1624	break;
	1625	case QXL_IO_CREATE_PRIMARY:
	1626	if (val != 0) {
	1627	qxl_set_guest_bug(d, "QXL_IO_CREATE_PRIMARY (async=%d): val != 0",
	1628	async);
	1629	goto cancel_async;
	1630	}
	1631	d->guest_primary.surface = d->ram->create_surface;
	1632	qxl_create_guest_primary(d, 0, async);
	1633	break;
	1634	case QXL_IO_DESTROY_PRIMARY:
	1635	if (val != 0) {
	1636	qxl_set_guest_bug(d, "QXL_IO_DESTROY_PRIMARY (async=%d): val != 0",
	1637	async);
	1638	goto cancel_async;
	1639	}
	1640	if (!qxl_destroy_primary(d, async)) {
	1641	trace_qxl_io_destroy_primary_ignored(d->id,
	1642	qxl_mode_to_string(d->mode));
	1643	goto cancel_async;
	1644	}
	1645	break;
	1646	case QXL_IO_DESTROY_SURFACE_WAIT:
	1647	if (val >= d->ssd.num_surfaces) {
	1648	qxl_set_guest_bug(d, "QXL_IO_DESTROY_SURFACE (async=%d):"
	1649	"%" PRIu64 " >= NUM_SURFACES", async, val);
	1650	goto cancel_async;
	1651	}
	1652	qxl_spice_destroy_surface_wait(d, val, async);
	1653	break;
	1654	case QXL_IO_FLUSH_RELEASE: {
	1655	QXLReleaseRing *ring = &d->ram->release_ring;
	1656	if (ring->prod - ring->cons + 1 == ring->num_items) {
	1657	fprintf(stderr,
	1658	"ERROR: no flush, full release ring [p%d,%dc]\n",
	1659	ring->prod, ring->cons);
	1660	}
	1661	qxl_push_free_res(d, 1 /* flush */);
	1662	break;
	1663	}
	1664	case QXL_IO_FLUSH_SURFACES_ASYNC:
	1665	qxl_spice_flush_surfaces_async(d);
	1666	break;
	1667	case QXL_IO_DESTROY_ALL_SURFACES:
	1668	d->mode = QXL_MODE_UNDEFINED;
	1669	qxl_spice_destroy_surfaces(d, async);
	1670	break;
	1671	case QXL_IO_MONITORS_CONFIG_ASYNC:
	1672	qxl_spice_monitors_config_async(d, 0);
	1673	break;
	1674	default:
	1675	qxl_set_guest_bug(d, "%s: unexpected ioport=0x%x\n", __func__, io_port);
	1676	}
	1677	return;
	1678	cancel_async:
	1679	if (async) {
	1680	qxl_send_events(d, QXL_INTERRUPT_IO_CMD);
	1681	qemu_mutex_lock(&d->async_lock);
	1682	d->current_async = QXL_UNDEFINED_IO;
	1683	qemu_mutex_unlock(&d->async_lock);
	1684	}
	1685	}
	1686
	1687	static uint64_t ioport_read(void *opaque, hwaddr addr,
	1688	unsigned size)
	1689	{
	1690	PCIQXLDevice *qxl = opaque;
	1691
	1692	trace_qxl_io_read_unexpected(qxl->id);
	1693	return 0xff;
	1694	}
	1695
	1696	static const MemoryRegionOps qxl_io_ops = {
	1697	.read = ioport_read,
	1698	.write = ioport_write,
	1699	.valid = {
	1700	.min_access_size = 1,
	1701	.max_access_size = 1,
	1702	},
	1703	};
	1704
	1705	static void pipe_read(void *opaque)
	1706	{
	1707	PCIQXLDevice *d = opaque;
	1708	char dummy;
	1709	int len;
	1710
	1711	do {
	1712	len = read(d->pipe[0], &dummy, sizeof(dummy));
	1713	} while (len == sizeof(dummy));
	1714	qxl_update_irq(d);
	1715	}
	1716
	1717	static void qxl_send_events(PCIQXLDevice *d, uint32_t events)
	1718	{
	1719	uint32_t old_pending;
	1720	uint32_t le_events = cpu_to_le32(events);
	1721
	1722	trace_qxl_send_events(d->id, events);
	1723	if (!qemu_spice_display_is_running(&d->ssd)) {
	1724	/* spice-server tracks guest running state and should not do this */
	1725	fprintf(stderr, "%s: spice-server bug: guest stopped, ignoring\n",
	1726	__func__);
	1727	trace_qxl_send_events_vm_stopped(d->id, events);
	1728	return;
	1729	}
	1730	old_pending = atomic_fetch_or(&d->ram->int_pending, le_events);
	1731	if ((old_pending & le_events) == le_events) {
	1732	return;
	1733	}
	1734	if (qemu_thread_is_self(&d->main)) {
	1735	qxl_update_irq(d);
	1736	} else {
	1737	if (write(d->pipe[1], d, 1) != 1) {
	1738	dprint(d, 1, "%s: write to pipe failed\n", __func__);
	1739	}
	1740	}
	1741	}
	1742
	1743	static void init_pipe_signaling(PCIQXLDevice *d)
	1744	{
	1745	if (pipe(d->pipe) < 0) {
	1746	fprintf(stderr, "%s:%s: qxl pipe creation failed\n",
	1747	__FILE__, __func__);
	1748	exit(1);
	1749	}
	1750	fcntl(d->pipe[0], F_SETFL, O_NONBLOCK);
	1751	fcntl(d->pipe[1], F_SETFL, O_NONBLOCK);
	1752	fcntl(d->pipe[0], F_SETOWN, getpid());
	1753
	1754	qemu_thread_get_self(&d->main);
	1755	qemu_set_fd_handler(d->pipe[0], pipe_read, NULL, d);
	1756	}
	1757
	1758	/* graphics console */
	1759
	1760	static void qxl_hw_update(void *opaque)
	1761	{
	1762	PCIQXLDevice *qxl = opaque;
	1763	VGACommonState *vga = &qxl->vga;
	1764
	1765	switch (qxl->mode) {
	1766	case QXL_MODE_VGA:
	1767	vga->hw_ops->gfx_update(vga);
	1768	break;
	1769	case QXL_MODE_COMPAT:
	1770	case QXL_MODE_NATIVE:
	1771	qxl_render_update(qxl);
	1772	break;
	1773	default:
	1774	break;
	1775	}
	1776	}
	1777
	1778	static void qxl_hw_invalidate(void *opaque)
	1779	{
	1780	PCIQXLDevice *qxl = opaque;
	1781	VGACommonState *vga = &qxl->vga;
	1782
	1783	if (qxl->mode == QXL_MODE_VGA) {
	1784	vga->hw_ops->invalidate(vga);
	1785	return;
	1786	}
	1787	}
	1788
	1789	static void qxl_hw_text_update(void opaque, console_ch_t chardata)
	1790	{
	1791	PCIQXLDevice *qxl = opaque;
	1792	VGACommonState *vga = &qxl->vga;
	1793
	1794	if (qxl->mode == QXL_MODE_VGA) {
	1795	vga->hw_ops->text_update(vga, chardata);
	1796	return;
	1797	}
	1798	}
	1799
	1800	static void qxl_dirty_surfaces(PCIQXLDevice *qxl)
	1801	{
	1802	uintptr_t vram_start;
	1803	int i;
	1804
	1805	if (qxl->mode != QXL_MODE_NATIVE && qxl->mode != QXL_MODE_COMPAT) {
	1806	return;
	1807	}
	1808
	1809	/* dirty the primary surface */
	1810	qxl_set_dirty(&qxl->vga.vram, qxl->shadow_rom.draw_area_offset,
	1811	qxl->shadow_rom.surface0_area_size);
	1812
	1813	vram_start = (uintptr_t)memory_region_get_ram_ptr(&qxl->vram_bar);
	1814
	1815	/* dirty the off-screen surfaces */
	1816	for (i = 0; i < qxl->ssd.num_surfaces; i++) {
	1817	QXLSurfaceCmd *cmd;
	1818	intptr_t surface_offset;
	1819	int surface_size;
	1820
	1821	if (qxl->guest_surfaces.cmds[i] == 0) {
	1822	continue;
	1823	}
	1824
	1825	cmd = qxl_phys2virt(qxl, qxl->guest_surfaces.cmds[i],
	1826	MEMSLOT_GROUP_GUEST);
	1827	assert(cmd);
	1828	assert(cmd->type == QXL_SURFACE_CMD_CREATE);
	1829	surface_offset = (intptr_t)qxl_phys2virt(qxl,
	1830	cmd->u.surface_create.data,
	1831	MEMSLOT_GROUP_GUEST);
	1832	assert(surface_offset);
	1833	surface_offset -= vram_start;
	1834	surface_size = cmd->u.surface_create.height *
	1835	abs(cmd->u.surface_create.stride);
	1836	trace_qxl_surfaces_dirty(qxl->id, i, (int)surface_offset, surface_size);
	1837	qxl_set_dirty(&qxl->vram_bar, surface_offset, surface_size);
	1838	}
	1839	}
	1840
	1841	static void qxl_vm_change_state_handler(void *opaque, int running,
	1842	RunState state)
	1843	{
	1844	PCIQXLDevice *qxl = opaque;
	1845
	1846	if (running) {
	1847	/*
	1848	* if qxl_send_events was called from spice server context before
	1849	* migration ended, qxl_update_irq for these events might not have been
	1850	* called
	1851	*/
	1852	qxl_update_irq(qxl);
	1853	} else {
	1854	/* make sure surfaces are saved before migration */
	1855	qxl_dirty_surfaces(qxl);
	1856	}
	1857	}
	1858
	1859	/* display change listener */
	1860
	1861	static void display_update(DisplayChangeListener *dcl,
	1862	int x, int y, int w, int h)
	1863	{
	1864	PCIQXLDevice *qxl = container_of(dcl, PCIQXLDevice, ssd.dcl);
	1865
	1866	if (qxl->mode == QXL_MODE_VGA) {
	1867	qemu_spice_display_update(&qxl->ssd, x, y, w, h);
	1868	}
	1869	}
	1870
	1871	static void display_switch(DisplayChangeListener *dcl,
	1872	struct DisplaySurface *surface)
	1873	{
	1874	PCIQXLDevice *qxl = container_of(dcl, PCIQXLDevice, ssd.dcl);
	1875
	1876	qxl->ssd.ds = surface;
	1877	if (qxl->mode == QXL_MODE_VGA) {
	1878	qemu_spice_display_switch(&qxl->ssd, surface);
	1879	}
	1880	}
	1881
	1882	static void display_refresh(DisplayChangeListener *dcl)
	1883	{
	1884	PCIQXLDevice *qxl = container_of(dcl, PCIQXLDevice, ssd.dcl);
	1885
	1886	if (qxl->mode == QXL_MODE_VGA) {
	1887	qemu_spice_display_refresh(&qxl->ssd);
	1888	} else {
	1889	qemu_mutex_lock(&qxl->ssd.lock);
	1890	qemu_spice_cursor_refresh_unlocked(&qxl->ssd);
	1891	qemu_mutex_unlock(&qxl->ssd.lock);
	1892	}
	1893	}
	1894
	1895	static DisplayChangeListenerOps display_listener_ops = {
	1896	.dpy_name = "spice/qxl",
	1897	.dpy_gfx_update = display_update,
	1898	.dpy_gfx_switch = display_switch,
	1899	.dpy_refresh = display_refresh,
	1900	};
	1901
	1902	static void qxl_init_ramsize(PCIQXLDevice *qxl)
	1903	{
	1904	/* vga mode framebuffer / primary surface (bar 0, first part) */
	1905	if (qxl->vgamem_size_mb < 8) {
	1906	qxl->vgamem_size_mb = 8;
	1907	}
	1908	qxl->vgamem_size = qxl->vgamem_size_mb * 1024 * 1024;
	1909
	1910	/* vga ram (bar 0, total) */
	1911	if (qxl->ram_size_mb != -1) {
	1912	qxl->vga.vram_size = qxl->ram_size_mb * 1024 * 1024;
	1913	}
	1914	if (qxl->vga.vram_size < qxl->vgamem_size * 2) {
	1915	qxl->vga.vram_size = qxl->vgamem_size * 2;
	1916	}
	1917
	1918	/* vram32 (surfaces, 32bit, bar 1) */
	1919	if (qxl->vram32_size_mb != -1) {
	1920	qxl->vram32_size = qxl->vram32_size_mb * 1024 * 1024;
	1921	}
	1922	if (qxl->vram32_size < 4096) {
	1923	qxl->vram32_size = 4096;
	1924	}
	1925
	1926	/* vram (surfaces, 64bit, bar 4+5) */
	1927	if (qxl->vram_size_mb != -1) {
	1928	qxl->vram_size = qxl->vram_size_mb * 1024 * 1024;
	1929	}
	1930	if (qxl->vram_size < qxl->vram32_size) {
	1931	qxl->vram_size = qxl->vram32_size;
	1932	}
	1933
	1934	if (qxl->revision == 1) {
	1935	qxl->vram32_size = 4096;
	1936	qxl->vram_size = 4096;
	1937	}
	1938	qxl->vgamem_size = msb_mask(qxl->vgamem_size * 2 - 1);
	1939	qxl->vga.vram_size = msb_mask(qxl->vga.vram_size * 2 - 1);
	1940	qxl->vram32_size = msb_mask(qxl->vram32_size * 2 - 1);
	1941	qxl->vram_size = msb_mask(qxl->vram_size * 2 - 1);
	1942	}
	1943
	1944	static int qxl_init_common(PCIQXLDevice *qxl)
	1945	{
	1946	uint8_t* config = qxl->pci.config;
	1947	uint32_t pci_device_rev;
	1948	uint32_t io_size;
	1949
	1950	qxl->mode = QXL_MODE_UNDEFINED;
	1951	qxl->generation = 1;
	1952	qxl->num_memslots = NUM_MEMSLOTS;
	1953	qemu_mutex_init(&qxl->track_lock);
	1954	qemu_mutex_init(&qxl->async_lock);
	1955	qxl->current_async = QXL_UNDEFINED_IO;
	1956	qxl->guest_bug = 0;
	1957
	1958	switch (qxl->revision) {
	1959	case 1: /* spice 0.4 -- qxl-1 */
	1960	pci_device_rev = QXL_REVISION_STABLE_V04;
	1961	io_size = 8;
	1962	break;
	1963	case 2: /* spice 0.6 -- qxl-2 */
	1964	pci_device_rev = QXL_REVISION_STABLE_V06;
	1965	io_size = 16;
	1966	break;
	1967	case 3: /* qxl-3 */
	1968	pci_device_rev = QXL_REVISION_STABLE_V10;
	1969	io_size = 32; /* PCI region size must be pow2 */
	1970	break;
	1971	case 4: /* qxl-4 */
	1972	pci_device_rev = QXL_REVISION_STABLE_V12;
	1973	io_size = msb_mask(QXL_IO_RANGE_SIZE * 2 - 1);
	1974	break;
	1975	default:
	1976	error_report("Invalid revision %d for qxl device (max %d)",
	1977	qxl->revision, QXL_DEFAULT_REVISION);
	1978	return -1;
	1979	}
	1980
	1981	pci_set_byte(&config[PCI_REVISION_ID], pci_device_rev);
	1982	pci_set_byte(&config[PCI_INTERRUPT_PIN], 1);
	1983
	1984	qxl->rom_size = qxl_rom_size();
	1985	memory_region_init_ram(&qxl->rom_bar, OBJECT(qxl), "qxl.vrom",
	1986	qxl->rom_size);
	1987	vmstate_register_ram(&qxl->rom_bar, &qxl->pci.qdev);
	1988	init_qxl_rom(qxl);
	1989	init_qxl_ram(qxl);
	1990
	1991	qxl->guest_surfaces.cmds = g_new0(QXLPHYSICAL, qxl->ssd.num_surfaces);
	1992	memory_region_init_ram(&qxl->vram_bar, OBJECT(qxl), "qxl.vram",
	1993	qxl->vram_size);
	1994	vmstate_register_ram(&qxl->vram_bar, &qxl->pci.qdev);
	1995	memory_region_init_alias(&qxl->vram32_bar, OBJECT(qxl), "qxl.vram32",
	1996	&qxl->vram_bar, 0, qxl->vram32_size);
	1997
	1998	memory_region_init_io(&qxl->io_bar, OBJECT(qxl), &qxl_io_ops, qxl,
	1999	"qxl-ioports", io_size);
	2000	if (qxl->id == 0) {
	2001	vga_dirty_log_start(&qxl->vga);
	2002	}
	2003	memory_region_set_flush_coalesced(&qxl->io_bar);
	2004
	2005
	2006	pci_register_bar(&qxl->pci, QXL_IO_RANGE_INDEX,
	2007	PCI_BASE_ADDRESS_SPACE_IO, &qxl->io_bar);
	2008
	2009	pci_register_bar(&qxl->pci, QXL_ROM_RANGE_INDEX,
	2010	PCI_BASE_ADDRESS_SPACE_MEMORY, &qxl->rom_bar);
	2011
	2012	pci_register_bar(&qxl->pci, QXL_RAM_RANGE_INDEX,
	2013	PCI_BASE_ADDRESS_SPACE_MEMORY, &qxl->vga.vram);
	2014
	2015	pci_register_bar(&qxl->pci, QXL_VRAM_RANGE_INDEX,
	2016	PCI_BASE_ADDRESS_SPACE_MEMORY, &qxl->vram32_bar);
	2017
	2018	if (qxl->vram32_size < qxl->vram_size) {
	2019	/*
	2020	* Make the 64bit vram bar show up only in case it is
	2021	* configured to be larger than the 32bit vram bar.
	2022	*/
	2023	pci_register_bar(&qxl->pci, QXL_VRAM64_RANGE_INDEX,
	2024	PCI_BASE_ADDRESS_SPACE_MEMORY \|
	2025	PCI_BASE_ADDRESS_MEM_TYPE_64 \|
	2026	PCI_BASE_ADDRESS_MEM_PREFETCH,
	2027	&qxl->vram_bar);
	2028	}
	2029
	2030	/* print pci bar details */
	2031	dprint(qxl, 1, "ram/%s: %d MB [region 0]\n",
	2032	qxl->id == 0 ? "pri" : "sec",
	2033	qxl->vga.vram_size / (1024*1024));
	2034	dprint(qxl, 1, "vram/32: %d MB [region 1]\n",
	2035	qxl->vram32_size / (1024*1024));
	2036	dprint(qxl, 1, "vram/64: %d MB %s\n",
	2037	qxl->vram_size / (1024*1024),
	2038	qxl->vram32_size < qxl->vram_size ? "[region 4]" : "[unmapped]");
	2039
	2040	qxl->ssd.qxl.base.sif = &qxl_interface.base;
	2041	qxl->ssd.qxl.id = qxl->id;
	2042	if (qemu_spice_add_interface(&qxl->ssd.qxl.base) != 0) {
	2043	error_report("qxl interface %d.%d not supported by spice-server",
	2044	SPICE_INTERFACE_QXL_MAJOR, SPICE_INTERFACE_QXL_MINOR);
	2045	return -1;
	2046	}
	2047	qemu_add_vm_change_state_handler(qxl_vm_change_state_handler, qxl);
	2048
	2049	init_pipe_signaling(qxl);
	2050	qxl_reset_state(qxl);
	2051
	2052	qxl->update_area_bh = qemu_bh_new(qxl_render_update_area_bh, qxl);
	2053
	2054	return 0;
	2055	}
	2056
	2057	static const GraphicHwOps qxl_ops = {
	2058	.invalidate = qxl_hw_invalidate,
	2059	.gfx_update = qxl_hw_update,
	2060	.text_update = qxl_hw_text_update,
	2061	};
	2062
	2063	static int qxl_init_primary(PCIDevice *dev)
	2064	{
	2065	PCIQXLDevice *qxl = DO_UPCAST(PCIQXLDevice, pci, dev);
	2066	VGACommonState *vga = &qxl->vga;
	2067	PortioList *qxl_vga_port_list = g_new(PortioList, 1);
	2068	int rc;
	2069
	2070	qxl->id = 0;
	2071	qxl_init_ramsize(qxl);
	2072	vga->vram_size_mb = qxl->vga.vram_size >> 20;
	2073	vga_common_init(vga, OBJECT(dev));
	2074	vga_init(vga, OBJECT(dev),
	2075	pci_address_space(dev), pci_address_space_io(dev), false);
	2076	portio_list_init(qxl_vga_port_list, OBJECT(dev), qxl_vga_portio_list,
	2077	vga, "vga");
	2078	portio_list_add(qxl_vga_port_list, pci_address_space_io(dev), 0x3b0);
	2079
	2080	vga->con = graphic_console_init(DEVICE(dev), &qxl_ops, qxl);
	2081	qemu_spice_display_init_common(&qxl->ssd);
	2082
	2083	rc = qxl_init_common(qxl);
	2084	if (rc != 0) {
	2085	return rc;
	2086	}
	2087
	2088	qxl->ssd.dcl.ops = &display_listener_ops;
	2089	qxl->ssd.dcl.con = vga->con;
	2090	register_displaychangelistener(&qxl->ssd.dcl);
	2091	return rc;
	2092	}
	2093
	2094	static int qxl_init_secondary(PCIDevice *dev)
	2095	{
	2096	static int device_id = 1;
	2097	PCIQXLDevice *qxl = DO_UPCAST(PCIQXLDevice, pci, dev);
	2098
	2099	qxl->id = device_id++;
	2100	qxl_init_ramsize(qxl);
	2101	memory_region_init_ram(&qxl->vga.vram, OBJECT(dev), "qxl.vgavram",
	2102	qxl->vga.vram_size);
	2103	vmstate_register_ram(&qxl->vga.vram, &qxl->pci.qdev);
	2104	qxl->vga.vram_ptr = memory_region_get_ram_ptr(&qxl->vga.vram);
	2105	qxl->vga.con = graphic_console_init(DEVICE(dev), &qxl_ops, qxl);
	2106
	2107	return qxl_init_common(qxl);
	2108	}
	2109
	2110	static void qxl_pre_save(void *opaque)
	2111	{
	2112	PCIQXLDevice* d = opaque;
	2113	uint8_t *ram_start = d->vga.vram_ptr;
	2114
	2115	trace_qxl_pre_save(d->id);
	2116	if (d->last_release == NULL) {
	2117	d->last_release_offset = 0;
	2118	} else {
	2119	d->last_release_offset = (uint8_t *)d->last_release - ram_start;
	2120	}
	2121	assert(d->last_release_offset < d->vga.vram_size);
	2122	}
	2123
	2124	static int qxl_pre_load(void *opaque)
	2125	{
	2126	PCIQXLDevice* d = opaque;
	2127
	2128	trace_qxl_pre_load(d->id);
	2129	qxl_hard_reset(d, 1);
	2130	qxl_exit_vga_mode(d);
	2131	return 0;
	2132	}
	2133
	2134	static void qxl_create_memslots(PCIQXLDevice *d)
	2135	{
	2136	int i;
	2137
	2138	for (i = 0; i < NUM_MEMSLOTS; i++) {
	2139	if (!d->guest_slots[i].active) {
	2140	continue;
	2141	}
	2142	qxl_add_memslot(d, i, 0, QXL_SYNC);
	2143	}
	2144	}
	2145
	2146	static int qxl_post_load(void *opaque, int version)
	2147	{
	2148	PCIQXLDevice* d = opaque;
	2149	uint8_t *ram_start = d->vga.vram_ptr;
	2150	QXLCommandExt *cmds;
	2151	int in, out, newmode;
	2152
	2153	assert(d->last_release_offset < d->vga.vram_size);
	2154	if (d->last_release_offset == 0) {
	2155	d->last_release = NULL;
	2156	} else {
	2157	d->last_release = (QXLReleaseInfo *)(ram_start + d->last_release_offset);
	2158	}
	2159
	2160	d->modes = (QXLModes)((uint8_t)d->rom + d->rom->modes_offset);
	2161
	2162	trace_qxl_post_load(d->id, qxl_mode_to_string(d->mode));
	2163	newmode = d->mode;
	2164	d->mode = QXL_MODE_UNDEFINED;
	2165
	2166	switch (newmode) {
	2167	case QXL_MODE_UNDEFINED:
	2168	qxl_create_memslots(d);
	2169	break;
	2170	case QXL_MODE_VGA:
	2171	qxl_create_memslots(d);
	2172	qxl_enter_vga_mode(d);
	2173	break;
	2174	case QXL_MODE_NATIVE:
	2175	qxl_create_memslots(d);
	2176	qxl_create_guest_primary(d, 1, QXL_SYNC);
	2177
	2178	/* replay surface-create and cursor-set commands */
	2179	cmds = g_malloc0(sizeof(QXLCommandExt) * (d->ssd.num_surfaces + 1));
	2180	for (in = 0, out = 0; in < d->ssd.num_surfaces; in++) {
	2181	if (d->guest_surfaces.cmds[in] == 0) {
	2182	continue;
	2183	}
	2184	cmds[out].cmd.data = d->guest_surfaces.cmds[in];
	2185	cmds[out].cmd.type = QXL_CMD_SURFACE;
	2186	cmds[out].group_id = MEMSLOT_GROUP_GUEST;
	2187	out++;
	2188	}
	2189	if (d->guest_cursor) {
	2190	cmds[out].cmd.data = d->guest_cursor;
	2191	cmds[out].cmd.type = QXL_CMD_CURSOR;
	2192	cmds[out].group_id = MEMSLOT_GROUP_GUEST;
	2193	out++;
	2194	}
	2195	qxl_spice_loadvm_commands(d, cmds, out);
	2196	g_free(cmds);
	2197	if (d->guest_monitors_config) {
	2198	qxl_spice_monitors_config_async(d, 1);
	2199	}
	2200	break;
	2201	case QXL_MODE_COMPAT:
	2202	/* note: no need to call qxl_create_memslots, qxl_set_mode
	2203	* creates the mem slot. */
	2204	qxl_set_mode(d, d->shadow_rom.mode, 1);
	2205	break;
	2206	}
	2207	return 0;
	2208	}
	2209
	2210	#define QXL_SAVE_VERSION 21
	2211
	2212	static bool qxl_monitors_config_needed(void *opaque)
	2213	{
	2214	PCIQXLDevice *qxl = opaque;
	2215
	2216	return qxl->guest_monitors_config != 0;
	2217	}
	2218
	2219
	2220	static VMStateDescription qxl_memslot = {
	2221	.name = "qxl-memslot",
	2222	.version_id = QXL_SAVE_VERSION,
	2223	.minimum_version_id = QXL_SAVE_VERSION,
	2224	.fields = (VMStateField[]) {
	2225	VMSTATE_UINT64(slot.mem_start, struct guest_slots),
	2226	VMSTATE_UINT64(slot.mem_end, struct guest_slots),
	2227	VMSTATE_UINT32(active, struct guest_slots),
	2228	VMSTATE_END_OF_LIST()
	2229	}
	2230	};
	2231
	2232	static VMStateDescription qxl_surface = {
	2233	.name = "qxl-surface",
	2234	.version_id = QXL_SAVE_VERSION,
	2235	.minimum_version_id = QXL_SAVE_VERSION,
	2236	.fields = (VMStateField[]) {
	2237	VMSTATE_UINT32(width, QXLSurfaceCreate),
	2238	VMSTATE_UINT32(height, QXLSurfaceCreate),
	2239	VMSTATE_INT32(stride, QXLSurfaceCreate),
	2240	VMSTATE_UINT32(format, QXLSurfaceCreate),
	2241	VMSTATE_UINT32(position, QXLSurfaceCreate),
	2242	VMSTATE_UINT32(mouse_mode, QXLSurfaceCreate),
	2243	VMSTATE_UINT32(flags, QXLSurfaceCreate),
	2244	VMSTATE_UINT32(type, QXLSurfaceCreate),
	2245	VMSTATE_UINT64(mem, QXLSurfaceCreate),
	2246	VMSTATE_END_OF_LIST()
	2247	}
	2248	};
	2249
	2250	static VMStateDescription qxl_vmstate_monitors_config = {
	2251	.name = "qxl/monitors-config",
	2252	.version_id = 1,
	2253	.minimum_version_id = 1,
	2254	.fields = (VMStateField[]) {
	2255	VMSTATE_UINT64(guest_monitors_config, PCIQXLDevice),
	2256	VMSTATE_END_OF_LIST()
	2257	},
	2258	};
	2259
	2260	static VMStateDescription qxl_vmstate = {
	2261	.name = "qxl",
	2262	.version_id = QXL_SAVE_VERSION,
	2263	.minimum_version_id = QXL_SAVE_VERSION,
	2264	.pre_save = qxl_pre_save,
	2265	.pre_load = qxl_pre_load,
	2266	.post_load = qxl_post_load,
	2267	.fields = (VMStateField[]) {
	2268	VMSTATE_PCI_DEVICE(pci, PCIQXLDevice),
	2269	VMSTATE_STRUCT(vga, PCIQXLDevice, 0, vmstate_vga_common, VGACommonState),
	2270	VMSTATE_UINT32(shadow_rom.mode, PCIQXLDevice),
	2271	VMSTATE_UINT32(num_free_res, PCIQXLDevice),
	2272	VMSTATE_UINT32(last_release_offset, PCIQXLDevice),
	2273	VMSTATE_UINT32(mode, PCIQXLDevice),
	2274	VMSTATE_UINT32(ssd.unique, PCIQXLDevice),
	2275	VMSTATE_INT32_EQUAL(num_memslots, PCIQXLDevice),
	2276	VMSTATE_STRUCT_ARRAY(guest_slots, PCIQXLDevice, NUM_MEMSLOTS, 0,
	2277	qxl_memslot, struct guest_slots),
	2278	VMSTATE_STRUCT(guest_primary.surface, PCIQXLDevice, 0,
	2279	qxl_surface, QXLSurfaceCreate),
	2280	VMSTATE_INT32_EQUAL(ssd.num_surfaces, PCIQXLDevice),
	2281	VMSTATE_VARRAY_INT32(guest_surfaces.cmds, PCIQXLDevice,
	2282	ssd.num_surfaces, 0,
	2283	vmstate_info_uint64, uint64_t),
	2284	VMSTATE_UINT64(guest_cursor, PCIQXLDevice),
	2285	VMSTATE_END_OF_LIST()
	2286	},
	2287	.subsections = (VMStateSubsection[]) {
	2288	{
	2289	.vmsd = &qxl_vmstate_monitors_config,
	2290	.needed = qxl_monitors_config_needed,
	2291	}, {
	2292	/* empty */
	2293	}
	2294	}
	2295	};
	2296
	2297	static Property qxl_properties[] = {
	2298	DEFINE_PROP_UINT32("ram_size", PCIQXLDevice, vga.vram_size,
	2299	64 * 1024 * 1024),
	2300	DEFINE_PROP_UINT32("vram_size", PCIQXLDevice, vram32_size,
	2301	64 * 1024 * 1024),
	2302	DEFINE_PROP_UINT32("revision", PCIQXLDevice, revision,
	2303	QXL_DEFAULT_REVISION),
	2304	DEFINE_PROP_UINT32("debug", PCIQXLDevice, debug, 0),
	2305	DEFINE_PROP_UINT32("guestdebug", PCIQXLDevice, guestdebug, 0),
	2306	DEFINE_PROP_UINT32("cmdlog", PCIQXLDevice, cmdlog, 0),
	2307	DEFINE_PROP_UINT32("ram_size_mb", PCIQXLDevice, ram_size_mb, -1),
	2308	DEFINE_PROP_UINT32("vram_size_mb", PCIQXLDevice, vram32_size_mb, -1),
	2309	DEFINE_PROP_UINT32("vram64_size_mb", PCIQXLDevice, vram_size_mb, -1),
	2310	DEFINE_PROP_UINT32("vgamem_mb", PCIQXLDevice, vgamem_size_mb, 16),
	2311	DEFINE_PROP_INT32("surfaces", PCIQXLDevice, ssd.num_surfaces, 1024),
	2312	DEFINE_PROP_END_OF_LIST(),
	2313	};
	2314
	2315	static void qxl_primary_class_init(ObjectClass klass, void data)
	2316	{
	2317	DeviceClass *dc = DEVICE_CLASS(klass);
	2318	PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
	2319
	2320	k->no_hotplug = 1;
	2321	k->init = qxl_init_primary;
	2322	k->romfile = "vgabios-qxl.bin";
	2323	k->vendor_id = REDHAT_PCI_VENDOR_ID;
	2324	k->device_id = QXL_DEVICE_ID_STABLE;
	2325	k->class_id = PCI_CLASS_DISPLAY_VGA;
	2326	set_bit(DEVICE_CATEGORY_DISPLAY, dc->categories);
	2327	dc->desc = "Spice QXL GPU (primary, vga compatible)";
	2328	dc->reset = qxl_reset_handler;
	2329	dc->vmsd = &qxl_vmstate;
	2330	dc->props = qxl_properties;
	2331	}
	2332
	2333	static const TypeInfo qxl_primary_info = {
	2334	.name = "qxl-vga",
	2335	.parent = TYPE_PCI_DEVICE,
	2336	.instance_size = sizeof(PCIQXLDevice),
	2337	.class_init = qxl_primary_class_init,
	2338	};
	2339
	2340	static void qxl_secondary_class_init(ObjectClass klass, void data)
	2341	{
	2342	DeviceClass *dc = DEVICE_CLASS(klass);
	2343	PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
	2344
	2345	k->init = qxl_init_secondary;
	2346	k->vendor_id = REDHAT_PCI_VENDOR_ID;
	2347	k->device_id = QXL_DEVICE_ID_STABLE;
	2348	k->class_id = PCI_CLASS_DISPLAY_OTHER;
	2349	set_bit(DEVICE_CATEGORY_DISPLAY, dc->categories);
	2350	dc->desc = "Spice QXL GPU (secondary)";
	2351	dc->reset = qxl_reset_handler;
	2352	dc->vmsd = &qxl_vmstate;
	2353	dc->props = qxl_properties;
	2354	}
	2355
	2356	static const TypeInfo qxl_secondary_info = {
	2357	.name = "qxl",
	2358	.parent = TYPE_PCI_DEVICE,
	2359	.instance_size = sizeof(PCIQXLDevice),
	2360	.class_init = qxl_secondary_class_init,
	2361	};
	2362
	2363	static void qxl_register_types(void)
	2364	{
	2365	type_register_static(&qxl_primary_info);
	2366	type_register_static(&qxl_secondary_info);
	2367	}
	2368
	2369	type_init(qxl_register_types)