X-Git-Url: https://repo.jachan.dev/qemu.git/blobdiff_plain/9ed5dacbfa0f3f74238854776385f150b68e78b9..167d97a3def77ee2dbf6e908b0ecbfe2103977db:/hw/display/vmware_vga.c diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c index aba292ccde..6599cf078d 100644 --- a/hw/display/vmware_vga.c +++ b/hw/display/vmware_vga.c @@ -21,10 +21,13 @@ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN * THE SOFTWARE. */ +#include "qemu/osdep.h" +#include "qapi/error.h" #include "hw/hw.h" #include "hw/loader.h" #include "trace.h" #include "ui/console.h" +#include "ui/vnc.h" #include "hw/pci/pci.h" #undef VERBOSE @@ -63,17 +66,11 @@ struct vmsvga_state_s { uint8_t *fifo_ptr; unsigned int fifo_size; - union { - uint32_t *fifo; - struct QEMU_PACKED { - uint32_t min; - uint32_t max; - uint32_t next_cmd; - uint32_t stop; - /* Add registers here when adding capabilities. */ - uint32_t fifo[0]; - } *cmd; - }; + uint32_t *fifo; + uint32_t fifo_min; + uint32_t fifo_max; + uint32_t fifo_next; + uint32_t fifo_stop; #define REDRAW_FIFO_LEN 512 struct vmsvga_rect_s { @@ -195,7 +192,7 @@ enum { */ SVGA_FIFO_MIN = 0, SVGA_FIFO_MAX, /* The distance from MIN to MAX must be at least 10K */ - SVGA_FIFO_NEXT_CMD, + SVGA_FIFO_NEXT, SVGA_FIFO_STOP, /* @@ -218,7 +215,7 @@ enum { /* These values can probably be changed arbitrarily. */ #define SVGA_SCRATCH_SIZE 0x8000 -#define SVGA_MAX_WIDTH 2360 +#define SVGA_MAX_WIDTH ROUND_UP(2360, VNC_DIRTY_PIXELS_PER_BIT) #define SVGA_MAX_HEIGHT 1770 #ifdef VERBOSE @@ -291,47 +288,74 @@ enum { SVGA_CURSOR_ON_RESTORE_TO_FB = 3, }; -static inline void vmsvga_update_rect(struct vmsvga_state_s *s, - int x, int y, int w, int h) +static inline bool vmsvga_verify_rect(DisplaySurface *surface, + const char *name, + int x, int y, int w, int h) { - DisplaySurface *surface = qemu_console_surface(s->vga.con); - int line; - int bypl; - int width; - int start; - uint8_t *src; - uint8_t *dst; - if (x < 0) { - fprintf(stderr, "%s: update x was < 0 (%d)\n", __func__, x); - w += x; - x = 0; + fprintf(stderr, "%s: x was < 0 (%d)\n", name, x); + return false; + } + if (x > SVGA_MAX_WIDTH) { + fprintf(stderr, "%s: x was > %d (%d)\n", name, SVGA_MAX_WIDTH, x); + return false; } if (w < 0) { - fprintf(stderr, "%s: update w was < 0 (%d)\n", __func__, w); - w = 0; + fprintf(stderr, "%s: w was < 0 (%d)\n", name, w); + return false; + } + if (w > SVGA_MAX_WIDTH) { + fprintf(stderr, "%s: w was > %d (%d)\n", name, SVGA_MAX_WIDTH, w); + return false; } if (x + w > surface_width(surface)) { - fprintf(stderr, "%s: update width too large x: %d, w: %d\n", - __func__, x, w); - x = MIN(x, surface_width(surface)); - w = surface_width(surface) - x; + fprintf(stderr, "%s: width was > %d (x: %d, w: %d)\n", + name, surface_width(surface), x, w); + return false; } if (y < 0) { - fprintf(stderr, "%s: update y was < 0 (%d)\n", __func__, y); - h += y; - y = 0; + fprintf(stderr, "%s: y was < 0 (%d)\n", name, y); + return false; + } + if (y > SVGA_MAX_HEIGHT) { + fprintf(stderr, "%s: y was > %d (%d)\n", name, SVGA_MAX_HEIGHT, y); + return false; } if (h < 0) { - fprintf(stderr, "%s: update h was < 0 (%d)\n", __func__, h); - h = 0; + fprintf(stderr, "%s: h was < 0 (%d)\n", name, h); + return false; + } + if (h > SVGA_MAX_HEIGHT) { + fprintf(stderr, "%s: h was > %d (%d)\n", name, SVGA_MAX_HEIGHT, h); + return false; } if (y + h > surface_height(surface)) { - fprintf(stderr, "%s: update height too large y: %d, h: %d\n", - __func__, y, h); - y = MIN(y, surface_height(surface)); - h = surface_height(surface) - y; + fprintf(stderr, "%s: update height > %d (y: %d, h: %d)\n", + name, surface_height(surface), y, h); + return false; + } + + return true; +} + +static inline void vmsvga_update_rect(struct vmsvga_state_s *s, + int x, int y, int w, int h) +{ + DisplaySurface *surface = qemu_console_surface(s->vga.con); + int line; + int bypl; + int width; + int start; + uint8_t *src; + uint8_t *dst; + + if (!vmsvga_verify_rect(surface, __func__, x, y, w, h)) { + /* go for a fullscreen update as fallback */ + x = 0; + y = 0; + w = surface_width(surface); + h = surface_height(surface); } bypl = surface_stride(surface); @@ -376,7 +400,7 @@ static inline void vmsvga_update_rect_flush(struct vmsvga_state_s *s) } #ifdef HW_RECT_ACCEL -static inline void vmsvga_copy_rect(struct vmsvga_state_s *s, +static inline int vmsvga_copy_rect(struct vmsvga_state_s *s, int x0, int y0, int x1, int y1, int w, int h) { DisplaySurface *surface = qemu_console_surface(s->vga.con); @@ -387,6 +411,13 @@ static inline void vmsvga_copy_rect(struct vmsvga_state_s *s, int line = h; uint8_t *ptr[2]; + if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/src", x0, y0, w, h)) { + return -1; + } + if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/dst", x1, y1, w, h)) { + return -1; + } + if (y1 > y0) { ptr[0] = vram + bypp * x0 + bypl * (y0 + h - 1); ptr[1] = vram + bypp * x1 + bypl * (y1 + h - 1); @@ -402,11 +433,12 @@ static inline void vmsvga_copy_rect(struct vmsvga_state_s *s, } vmsvga_update_rect_delayed(s, x1, y1, w, h); + return 0; } #endif #ifdef HW_FILL_ACCEL -static inline void vmsvga_fill_rect(struct vmsvga_state_s *s, +static inline int vmsvga_fill_rect(struct vmsvga_state_s *s, uint32_t c, int x, int y, int w, int h) { DisplaySurface *surface = qemu_console_surface(s->vga.con); @@ -419,6 +451,10 @@ static inline void vmsvga_fill_rect(struct vmsvga_state_s *s, uint8_t *src; uint8_t col[4]; + if (!vmsvga_verify_rect(surface, __func__, x, y, w, h)) { + return -1; + } + col[0] = c; col[1] = c >> 8; col[2] = c >> 16; @@ -443,14 +479,15 @@ static inline void vmsvga_fill_rect(struct vmsvga_state_s *s, } vmsvga_update_rect_delayed(s, x, y, w, h); + return 0; } #endif struct vmsvga_cursor_definition_s { - int width; - int height; + uint32_t width; + uint32_t height; int id; - int bpp; + uint32_t bpp; int hot_x; int hot_y; uint32_t mask[1024]; @@ -503,8 +540,6 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s, } #endif -#define CMD(f) le32_to_cpu(s->cmd->f) - static inline int vmsvga_fifo_length(struct vmsvga_state_s *s) { int num; @@ -512,21 +547,45 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s) if (!s->config || !s->enable) { return 0; } - num = CMD(next_cmd) - CMD(stop); + + s->fifo_min = le32_to_cpu(s->fifo[SVGA_FIFO_MIN]); + s->fifo_max = le32_to_cpu(s->fifo[SVGA_FIFO_MAX]); + s->fifo_next = le32_to_cpu(s->fifo[SVGA_FIFO_NEXT]); + s->fifo_stop = le32_to_cpu(s->fifo[SVGA_FIFO_STOP]); + + /* Check range and alignment. */ + if ((s->fifo_min | s->fifo_max | s->fifo_next | s->fifo_stop) & 3) { + return 0; + } + if (s->fifo_min < sizeof(uint32_t) * 4) { + return 0; + } + if (s->fifo_max > SVGA_FIFO_SIZE || + s->fifo_min >= SVGA_FIFO_SIZE || + s->fifo_stop >= SVGA_FIFO_SIZE || + s->fifo_next >= SVGA_FIFO_SIZE) { + return 0; + } + if (s->fifo_max < s->fifo_min + 10 * 1024) { + return 0; + } + + num = s->fifo_next - s->fifo_stop; if (num < 0) { - num += CMD(max) - CMD(min); + num += s->fifo_max - s->fifo_min; } return num >> 2; } static inline uint32_t vmsvga_fifo_read_raw(struct vmsvga_state_s *s) { - uint32_t cmd = s->fifo[CMD(stop) >> 2]; + uint32_t cmd = s->fifo[s->fifo_stop >> 2]; - s->cmd->stop = cpu_to_le32(CMD(stop) + 4); - if (CMD(stop) >= CMD(max)) { - s->cmd->stop = s->cmd->min; + s->fifo_stop += 4; + if (s->fifo_stop >= s->fifo_max) { + s->fifo_stop = s->fifo_min; } + s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop); return cmd; } @@ -538,15 +597,15 @@ static inline uint32_t vmsvga_fifo_read(struct vmsvga_state_s *s) static void vmsvga_fifo_run(struct vmsvga_state_s *s) { uint32_t cmd, colour; - int args, len; + int args, len, maxloop = 1024; int x, y, dx, dy, width, height; struct vmsvga_cursor_definition_s cursor; uint32_t cmd_start; len = vmsvga_fifo_length(s); - while (len > 0) { + while (len > 0 && --maxloop > 0) { /* May need to go back to the start of the command if incomplete */ - cmd_start = s->cmd->stop; + cmd_start = s->fifo_stop; switch (cmd = vmsvga_fifo_read(s)) { case SVGA_CMD_UPDATE: @@ -575,12 +634,12 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) width = vmsvga_fifo_read(s); height = vmsvga_fifo_read(s); #ifdef HW_FILL_ACCEL - vmsvga_fill_rect(s, colour, x, y, width, height); - break; -#else + if (vmsvga_fill_rect(s, colour, x, y, width, height) == 0) { + break; + } +#endif args = 0; goto badcmd; -#endif case SVGA_CMD_RECT_COPY: len -= 7; @@ -595,12 +654,12 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) width = vmsvga_fifo_read(s); height = vmsvga_fifo_read(s); #ifdef HW_RECT_ACCEL - vmsvga_copy_rect(s, x, y, dx, dy, width, height); - break; -#else + if (vmsvga_copy_rect(s, x, y, dx, dy, width, height) == 0) { + break; + } +#endif args = 0; goto badcmd; -#endif case SVGA_CMD_DEFINE_CURSOR: len -= 8; @@ -617,8 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) cursor.bpp = vmsvga_fifo_read(s); args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp); - if (SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask || - SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) { + if (cursor.width > 256 + || cursor.height > 256 + || cursor.bpp > 32 + || SVGA_BITMAP_SIZE(x, y) + > sizeof(cursor.mask) / sizeof(cursor.mask[0]) + || SVGA_PIXMAP_SIZE(x, y, cursor.bpp) + > sizeof(cursor.image) / sizeof(cursor.image[0])) { goto badcmd; } @@ -702,7 +766,8 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) break; rewind: - s->cmd->stop = cmd_start; + s->fifo_stop = cmd_start; + s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop); break; } } @@ -862,7 +927,7 @@ static uint32_t vmsvga_value_read(void *opaque, uint32_t address) break; case SVGA_REG_CURSOR_Y: - ret = s->cursor.x; + ret = s->cursor.y; break; case SVGA_REG_CURSOR_ON: @@ -959,19 +1024,6 @@ static void vmsvga_value_write(void *opaque, uint32_t address, uint32_t value) case SVGA_REG_CONFIG_DONE: if (value) { s->fifo = (uint32_t *) s->fifo_ptr; - /* Check range and alignment. */ - if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) { - break; - } - if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) { - break; - } - if (CMD(max) > SVGA_FIFO_SIZE) { - break; - } - if (CMD(max) < CMD(min) + 10 * 1024) { - break; - } vga_dirty_log_stop(&s->vga); } s->config = !!value; @@ -1051,10 +1103,12 @@ static inline void vmsvga_check_size(struct vmsvga_state_s *s) s->new_height != surface_height(surface) || s->new_depth != surface_bits_per_pixel(surface)) { int stride = (s->new_depth * s->new_width) / 8; + pixman_format_code_t format = + qemu_default_pixman_format(s->new_depth, true); trace_vmware_setmode(s->new_width, s->new_height, s->new_depth); surface = qemu_create_displaysurface_from(s->new_width, s->new_height, - s->new_depth, stride, - s->vga.vram_ptr, false); + format, stride, + s->vga.vram_ptr); dpy_gfx_replace_surface(s->vga.con, surface); s->invalidated = 1; } @@ -1081,7 +1135,7 @@ static void vmsvga_update_display(void *opaque) * Is it more efficient to look at vram VGA-dirty bits or wait * for the driver to issue SVGA_CMD_UPDATE? */ - if (memory_region_is_logging(&s->vga.vram)) { + if (memory_region_is_logging(&s->vga.vram, DIRTY_MEMORY_VGA)) { vga_sync_dirty_bitmap(&s->vga); dirty = memory_region_get_dirty(&s->vga.vram, 0, surface_stride(surface) * surface_height(surface), @@ -1151,9 +1205,8 @@ static const VMStateDescription vmstate_vmware_vga_internal = { .name = "vmware_vga_internal", .version_id = 0, .minimum_version_id = 0, - .minimum_version_id_old = 0, .post_load = vmsvga_post_load, - .fields = (VMStateField[]) { + .fields = (VMStateField[]) { VMSTATE_INT32_EQUAL(new_depth, struct vmsvga_state_s), VMSTATE_INT32(enable, struct vmsvga_state_s), VMSTATE_INT32(config, struct vmsvga_state_s), @@ -1178,8 +1231,7 @@ static const VMStateDescription vmstate_vmware_vga = { .name = "vmware_vga", .version_id = 0, .minimum_version_id = 0, - .minimum_version_id_old = 0, - .fields = (VMStateField[]) { + .fields = (VMStateField[]) { VMSTATE_PCI_DEVICE(parent_obj, struct pci_vmsvga_state_s), VMSTATE_STRUCT(chip, struct pci_vmsvga_state_s, 0, vmstate_vmware_vga_internal, struct vmsvga_state_s), @@ -1199,14 +1251,15 @@ static void vmsvga_init(DeviceState *dev, struct vmsvga_state_s *s, s->scratch_size = SVGA_SCRATCH_SIZE; s->scratch = g_malloc(s->scratch_size * 4); - s->vga.con = graphic_console_init(dev, &vmsvga_ops, s); + s->vga.con = graphic_console_init(dev, 0, &vmsvga_ops, s); s->fifo_size = SVGA_FIFO_SIZE; - memory_region_init_ram(&s->fifo_ram, NULL, "vmsvga.fifo", s->fifo_size); + memory_region_init_ram(&s->fifo_ram, NULL, "vmsvga.fifo", s->fifo_size, + &error_fatal); vmstate_register_ram_global(&s->fifo_ram); s->fifo_ptr = memory_region_get_ram_ptr(&s->fifo_ram); - vga_common_init(&s->vga, OBJECT(dev)); + vga_common_init(&s->vga, OBJECT(dev), true); vga_init(&s->vga, OBJECT(dev), address_space, io, true); vmstate_register(NULL, 0, &vmstate_vga_common, &s->vga); s->new_depth = 32; @@ -1256,7 +1309,7 @@ static const MemoryRegionOps vmsvga_io_ops = { }, }; -static int pci_vmsvga_initfn(PCIDevice *dev) +static void pci_vmsvga_realize(PCIDevice *dev, Error **errp) { struct pci_vmsvga_state_s *s = VMWARE_SVGA(dev); @@ -1281,8 +1334,6 @@ static int pci_vmsvga_initfn(PCIDevice *dev) /* compatibility with pc-0.13 and older */ vga_init_vbe(&s->chip.vga, OBJECT(dev), pci_address_space(dev)); } - - return 0; } static Property vga_vmware_properties[] = { @@ -1296,8 +1347,7 @@ static void vmsvga_class_init(ObjectClass *klass, void *data) DeviceClass *dc = DEVICE_CLASS(klass); PCIDeviceClass *k = PCI_DEVICE_CLASS(klass); - k->no_hotplug = 1; - k->init = pci_vmsvga_initfn; + k->realize = pci_vmsvga_realize; k->romfile = "vgabios-vmware.bin"; k->vendor_id = PCI_VENDOR_ID_VMWARE; k->device_id = SVGA_PCI_DEVICE_ID; @@ -1307,6 +1357,7 @@ static void vmsvga_class_init(ObjectClass *klass, void *data) dc->reset = vmsvga_reset; dc->vmsd = &vmstate_vmware_vga; dc->props = vga_vmware_properties; + dc->hotpluggable = false; set_bit(DEVICE_CATEGORY_DISPLAY, dc->categories); }