From: Leonid Shatz <leonid.shatz@oracle.com>
We parse the command structure, but ignore the hint given by command.
Without doing so, command FIFO could get out of sync and cause
vmware-svga device to hang.
From Linux kernel drivers/gpu/drm/vmwgfx/device_include/svga_reg.h:
/*
* SVGA_CMD_FRONT_ROP_FILL --
*
* This is a hint which tells the SVGA device that the driver has
* just filled a rectangular region of the GFB with a solid
* color. Instead of reading these pixels from the GFB, the device
* can assume that they all equal 'color'. This is primarily used
* for remote desktop protocols.
*
* Availability:
* SVGA_FIFO_CAP_ACCELFRONT
*/
typedef
struct {
uint32 color; /* In the same format as the GFB */
uint32 x;
uint32 y;
uint32 width;
uint32 height;
uint32 rop; /* Must be SVGA_ROP_COPY */
}
SVGAFifoCmdFrontRopFill;
Signed-off-by: Leonid Shatz <leonid.shatz@oracle.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Liran Alon <liran.alon@oracle.com>
---
hw/display/vmware_vga.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index d3a78809673d..fab6443a87e2 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -693,6 +693,14 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
goto badcmd;
#endif
+ case SVGA_CMD_FRONT_ROP_FILL:
+ len -= 1;
+ if (len < 0) {
+ goto rewind;
+ }
+ args = 6;
+ goto ignoredcmd;
+
/*
* Deprecated commands are neither documented in VMware SVGA development kit
* nor in Linux kernel vmware-svga driver source code.
@@ -759,7 +767,6 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
*/
case SVGA_CMD_SURFACE_FILL:
case SVGA_CMD_SURFACE_COPY:
- case SVGA_CMD_FRONT_ROP_FILL:
case SVGA_CMD_FENCE:
case SVGA_CMD_INVALID_CMD:
break; /* Nop */
--
1.9.1