From nobody Tue Nov 4 08:06:06 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1504272289542388.41012622009976; Fri, 1 Sep 2017 06:24:49 -0700 (PDT) Received: from localhost ([::1]:40034 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dnlwG-00019j-Bb for importer@patchew.org; Fri, 01 Sep 2017 09:24:48 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54738) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dnlWB-0001x1-6i for qemu-devel@nongnu.org; Fri, 01 Sep 2017 08:57:55 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dnlW6-0007oi-DK for qemu-devel@nongnu.org; Fri, 01 Sep 2017 08:57:51 -0400 Received: from mx1.redhat.com ([209.132.183.28]:49048) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dnlW6-0007oI-77 for qemu-devel@nongnu.org; Fri, 01 Sep 2017 08:57:46 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 2E8A44E4C2 for ; Fri, 1 Sep 2017 12:57:45 +0000 (UTC) Received: from sirius.home.kraxel.org (ovpn-116-70.ams2.redhat.com [10.36.116.70]) by smtp.corp.redhat.com (Postfix) with ESMTP id 793967B0E5; Fri, 1 Sep 2017 12:57:44 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 560BB16A896; Fri, 1 Sep 2017 14:57:42 +0200 (CEST) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 2E8A44E4C2 Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=kraxel@redhat.com From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Fri, 1 Sep 2017 14:57:38 +0200 Message-Id: <20170901125742.4249-2-kraxel@redhat.com> In-Reply-To: <20170901125742.4249-1-kraxel@redhat.com> References: <20170901125742.4249-1-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Fri, 01 Sep 2017 12:57:45 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 1/5] vga: fix display update region calculation (split screen) X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Gerd Hoffmann , P J P Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" vga display update mis-calculated the region for the dirty bitmap snapshot in case split screen mode is used. This can trigger an assert in cpu_physical_memory_snapshot_get_dirty(). Impact: DoS for privileged guest users. Fixes: CVE-2017-13673 Fixes: fec5e8c92becad223df9d972770522f64aafdb72 Cc: P J P Reported-by: David Buchanan Signed-off-by: Gerd Hoffmann Message-id: 20170828123307.15392-1-kraxel@redhat.com Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- hw/display/vga.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/hw/display/vga.c b/hw/display/vga.c index 3433102ef3..ad7a46563c 100644 --- a/hw/display/vga.c +++ b/hw/display/vga.c @@ -1628,9 +1628,15 @@ static void vga_draw_graphic(VGACommonState *s, int = full_update) y1 =3D 0; =20 if (!full_update) { + ram_addr_t region_start =3D addr1; + ram_addr_t region_end =3D addr1 + line_offset * height; vga_sync_dirty_bitmap(s); - snap =3D memory_region_snapshot_and_clear_dirty(&s->vram, addr1, - line_offset * height, + if (s->line_compare < height) { + /* split screen mode */ + region_start =3D 0; + } + snap =3D memory_region_snapshot_and_clear_dirty(&s->vram, region_s= tart, + region_end - region_= start, DIRTY_MEMORY_VGA); } =20 --=20 2.9.3 From nobody Tue Nov 4 08:06:06 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 150427323010960.00157953268706; Fri, 1 Sep 2017 06:40:30 -0700 (PDT) Received: from localhost ([::1]:40776 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dnmBQ-0007bR-TH for importer@patchew.org; Fri, 01 Sep 2017 09:40:28 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54764) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dnlWD-0001zD-Iw for qemu-devel@nongnu.org; Fri, 01 Sep 2017 08:57:58 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dnlW7-0007pH-VW for qemu-devel@nongnu.org; Fri, 01 Sep 2017 08:57:53 -0400 Received: from mx1.redhat.com ([209.132.183.28]:55998) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dnlW7-0007p2-Mc for qemu-devel@nongnu.org; Fri, 01 Sep 2017 08:57:47 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A6081C047B9D for ; Fri, 1 Sep 2017 12:57:46 +0000 (UTC) Received: from sirius.home.kraxel.org (ovpn-116-70.ams2.redhat.com [10.36.116.70]) by smtp.corp.redhat.com (Postfix) with ESMTP id 80C017B150; Fri, 1 Sep 2017 12:57:44 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 5EE7716A897; Fri, 1 Sep 2017 14:57:42 +0200 (CEST) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com A6081C047B9D Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=kraxel@redhat.com From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Fri, 1 Sep 2017 14:57:39 +0200 Message-Id: <20170901125742.4249-3-kraxel@redhat.com> In-Reply-To: <20170901125742.4249-1-kraxel@redhat.com> References: <20170901125742.4249-1-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Fri, 01 Sep 2017 12:57:46 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 2/5] vga: stop passing pointers to vga_draw_line* functions X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Gerd Hoffmann , P J P Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Instead pass around the address (aka offset into vga memory). Add vga_read_* helper functions which apply vbe_size_mask to the address, to make sure the address stays within the valid range, similar to the cirrus blitter fixes (commits ffaf857778 and 026aeffcb4). Impact: DoS for privileged guest users. qemu crashes with a segfault, when hitting the guard page after vga memory allocation, while reading vga memory for display updates. Fixes: CVE-2017-13672 Cc: P J P Reported-by: David Buchanan Signed-off-by: Gerd Hoffmann Message-id: 20170828122906.18993-1-kraxel@redhat.com Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- hw/display/vga-helpers.h | 202 ++++++++++++++++++++++++++-----------------= ---- hw/display/vga_int.h | 1 + hw/display/vga.c | 5 +- 3 files changed, 114 insertions(+), 94 deletions(-) diff --git a/hw/display/vga-helpers.h b/hw/display/vga-helpers.h index 94f6de2046..5a752b3f9e 100644 --- a/hw/display/vga-helpers.h +++ b/hw/display/vga-helpers.h @@ -95,20 +95,46 @@ static void vga_draw_glyph9(uint8_t *d, int linesize, } while (--h); } =20 +static inline uint8_t vga_read_byte(VGACommonState *vga, uint32_t addr) +{ + return vga->vram_ptr[addr & vga->vbe_size_mask]; +} + +static inline uint16_t vga_read_word_le(VGACommonState *vga, uint32_t addr) +{ + uint32_t offset =3D addr & vga->vbe_size_mask & ~1; + uint16_t *ptr =3D (uint16_t *)(vga->vram_ptr + offset); + return lduw_le_p(ptr); +} + +static inline uint16_t vga_read_word_be(VGACommonState *vga, uint32_t addr) +{ + uint32_t offset =3D addr & vga->vbe_size_mask & ~1; + uint16_t *ptr =3D (uint16_t *)(vga->vram_ptr + offset); + return lduw_be_p(ptr); +} + +static inline uint32_t vga_read_dword_le(VGACommonState *vga, uint32_t add= r) +{ + uint32_t offset =3D addr & vga->vbe_size_mask & ~3; + uint32_t *ptr =3D (uint32_t *)(vga->vram_ptr + offset); + return ldl_le_p(ptr); +} + /* * 4 color mode */ -static void vga_draw_line2(VGACommonState *s1, uint8_t *d, - const uint8_t *s, int width) +static void vga_draw_line2(VGACommonState *vga, uint8_t *d, + uint32_t addr, int width) { uint32_t plane_mask, *palette, data, v; int x; =20 - palette =3D s1->last_palette; - plane_mask =3D mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; + palette =3D vga->last_palette; + plane_mask =3D mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; width >>=3D 3; for(x =3D 0; x < width; x++) { - data =3D ((uint32_t *)s)[0]; + data =3D vga_read_dword_le(vga, addr); data &=3D plane_mask; v =3D expand2[GET_PLANE(data, 0)]; v |=3D expand2[GET_PLANE(data, 2)] << 2; @@ -124,7 +150,7 @@ static void vga_draw_line2(VGACommonState *s1, uint8_t = *d, ((uint32_t *)d)[6] =3D palette[(v >> 4) & 0xf]; ((uint32_t *)d)[7] =3D palette[(v >> 0) & 0xf]; d +=3D 32; - s +=3D 4; + addr +=3D 4; } } =20 @@ -134,17 +160,17 @@ static void vga_draw_line2(VGACommonState *s1, uint8_= t *d, /* * 4 color mode, dup2 horizontal */ -static void vga_draw_line2d2(VGACommonState *s1, uint8_t *d, - const uint8_t *s, int width) +static void vga_draw_line2d2(VGACommonState *vga, uint8_t *d, + uint32_t addr, int width) { uint32_t plane_mask, *palette, data, v; int x; =20 - palette =3D s1->last_palette; - plane_mask =3D mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; + palette =3D vga->last_palette; + plane_mask =3D mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; width >>=3D 3; for(x =3D 0; x < width; x++) { - data =3D ((uint32_t *)s)[0]; + data =3D vga_read_dword_le(vga, addr); data &=3D plane_mask; v =3D expand2[GET_PLANE(data, 0)]; v |=3D expand2[GET_PLANE(data, 2)] << 2; @@ -160,24 +186,24 @@ static void vga_draw_line2d2(VGACommonState *s1, uint= 8_t *d, PUT_PIXEL2(d, 6, palette[(v >> 4) & 0xf]); PUT_PIXEL2(d, 7, palette[(v >> 0) & 0xf]); d +=3D 64; - s +=3D 4; + addr +=3D 4; } } =20 /* * 16 color mode */ -static void vga_draw_line4(VGACommonState *s1, uint8_t *d, - const uint8_t *s, int width) +static void vga_draw_line4(VGACommonState *vga, uint8_t *d, + uint32_t addr, int width) { uint32_t plane_mask, data, v, *palette; int x; =20 - palette =3D s1->last_palette; - plane_mask =3D mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; + palette =3D vga->last_palette; + plane_mask =3D mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; width >>=3D 3; for(x =3D 0; x < width; x++) { - data =3D ((uint32_t *)s)[0]; + data =3D vga_read_dword_le(vga, addr); data &=3D plane_mask; v =3D expand4[GET_PLANE(data, 0)]; v |=3D expand4[GET_PLANE(data, 1)] << 1; @@ -192,24 +218,24 @@ static void vga_draw_line4(VGACommonState *s1, uint8_= t *d, ((uint32_t *)d)[6] =3D palette[(v >> 4) & 0xf]; ((uint32_t *)d)[7] =3D palette[(v >> 0) & 0xf]; d +=3D 32; - s +=3D 4; + addr +=3D 4; } } =20 /* * 16 color mode, dup2 horizontal */ -static void vga_draw_line4d2(VGACommonState *s1, uint8_t *d, - const uint8_t *s, int width) +static void vga_draw_line4d2(VGACommonState *vga, uint8_t *d, + uint32_t addr, int width) { uint32_t plane_mask, data, v, *palette; int x; =20 - palette =3D s1->last_palette; - plane_mask =3D mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; + palette =3D vga->last_palette; + plane_mask =3D mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; width >>=3D 3; for(x =3D 0; x < width; x++) { - data =3D ((uint32_t *)s)[0]; + data =3D vga_read_dword_le(vga, addr); data &=3D plane_mask; v =3D expand4[GET_PLANE(data, 0)]; v |=3D expand4[GET_PLANE(data, 1)] << 1; @@ -224,7 +250,7 @@ static void vga_draw_line4d2(VGACommonState *s1, uint8_= t *d, PUT_PIXEL2(d, 6, palette[(v >> 4) & 0xf]); PUT_PIXEL2(d, 7, palette[(v >> 0) & 0xf]); d +=3D 64; - s +=3D 4; + addr +=3D 4; } } =20 @@ -233,21 +259,21 @@ static void vga_draw_line4d2(VGACommonState *s1, uint= 8_t *d, * * XXX: add plane_mask support (never used in standard VGA modes) */ -static void vga_draw_line8d2(VGACommonState *s1, uint8_t *d, - const uint8_t *s, int width) +static void vga_draw_line8d2(VGACommonState *vga, uint8_t *d, + uint32_t addr, int width) { uint32_t *palette; int x; =20 - palette =3D s1->last_palette; + palette =3D vga->last_palette; width >>=3D 3; for(x =3D 0; x < width; x++) { - PUT_PIXEL2(d, 0, palette[s[0]]); - PUT_PIXEL2(d, 1, palette[s[1]]); - PUT_PIXEL2(d, 2, palette[s[2]]); - PUT_PIXEL2(d, 3, palette[s[3]]); + PUT_PIXEL2(d, 0, palette[vga_read_byte(vga, addr + 0)]); + PUT_PIXEL2(d, 1, palette[vga_read_byte(vga, addr + 1)]); + PUT_PIXEL2(d, 2, palette[vga_read_byte(vga, addr + 2)]); + PUT_PIXEL2(d, 3, palette[vga_read_byte(vga, addr + 3)]); d +=3D 32; - s +=3D 4; + addr +=3D 4; } } =20 @@ -256,63 +282,63 @@ static void vga_draw_line8d2(VGACommonState *s1, uint= 8_t *d, * * XXX: add plane_mask support (never used in standard VGA modes) */ -static void vga_draw_line8(VGACommonState *s1, uint8_t *d, - const uint8_t *s, int width) +static void vga_draw_line8(VGACommonState *vga, uint8_t *d, + uint32_t addr, int width) { uint32_t *palette; int x; =20 - palette =3D s1->last_palette; + palette =3D vga->last_palette; width >>=3D 3; for(x =3D 0; x < width; x++) { - ((uint32_t *)d)[0] =3D palette[s[0]]; - ((uint32_t *)d)[1] =3D palette[s[1]]; - ((uint32_t *)d)[2] =3D palette[s[2]]; - ((uint32_t *)d)[3] =3D palette[s[3]]; - ((uint32_t *)d)[4] =3D palette[s[4]]; - ((uint32_t *)d)[5] =3D palette[s[5]]; - ((uint32_t *)d)[6] =3D palette[s[6]]; - ((uint32_t *)d)[7] =3D palette[s[7]]; + ((uint32_t *)d)[0] =3D palette[vga_read_byte(vga, addr + 0)]; + ((uint32_t *)d)[1] =3D palette[vga_read_byte(vga, addr + 1)]; + ((uint32_t *)d)[2] =3D palette[vga_read_byte(vga, addr + 2)]; + ((uint32_t *)d)[3] =3D palette[vga_read_byte(vga, addr + 3)]; + ((uint32_t *)d)[4] =3D palette[vga_read_byte(vga, addr + 4)]; + ((uint32_t *)d)[5] =3D palette[vga_read_byte(vga, addr + 5)]; + ((uint32_t *)d)[6] =3D palette[vga_read_byte(vga, addr + 6)]; + ((uint32_t *)d)[7] =3D palette[vga_read_byte(vga, addr + 7)]; d +=3D 32; - s +=3D 8; + addr +=3D 8; } } =20 /* * 15 bit color */ -static void vga_draw_line15_le(VGACommonState *s1, uint8_t *d, - const uint8_t *s, int width) +static void vga_draw_line15_le(VGACommonState *vga, uint8_t *d, + uint32_t addr, int width) { int w; uint32_t v, r, g, b; =20 w =3D width; do { - v =3D lduw_le_p((void *)s); + v =3D vga_read_word_le(vga, addr); r =3D (v >> 7) & 0xf8; g =3D (v >> 2) & 0xf8; b =3D (v << 3) & 0xf8; ((uint32_t *)d)[0] =3D rgb_to_pixel32(r, g, b); - s +=3D 2; + addr +=3D 2; d +=3D 4; } while (--w !=3D 0); } =20 -static void vga_draw_line15_be(VGACommonState *s1, uint8_t *d, - const uint8_t *s, int width) +static void vga_draw_line15_be(VGACommonState *vga, uint8_t *d, + uint32_t addr, int width) { int w; uint32_t v, r, g, b; =20 w =3D width; do { - v =3D lduw_be_p((void *)s); + v =3D vga_read_word_be(vga, addr); r =3D (v >> 7) & 0xf8; g =3D (v >> 2) & 0xf8; b =3D (v << 3) & 0xf8; ((uint32_t *)d)[0] =3D rgb_to_pixel32(r, g, b); - s +=3D 2; + addr +=3D 2; d +=3D 4; } while (--w !=3D 0); } @@ -320,38 +346,38 @@ static void vga_draw_line15_be(VGACommonState *s1, ui= nt8_t *d, /* * 16 bit color */ -static void vga_draw_line16_le(VGACommonState *s1, uint8_t *d, - const uint8_t *s, int width) +static void vga_draw_line16_le(VGACommonState *vga, uint8_t *d, + uint32_t addr, int width) { int w; uint32_t v, r, g, b; =20 w =3D width; do { - v =3D lduw_le_p((void *)s); + v =3D vga_read_word_le(vga, addr); r =3D (v >> 8) & 0xf8; g =3D (v >> 3) & 0xfc; b =3D (v << 3) & 0xf8; ((uint32_t *)d)[0] =3D rgb_to_pixel32(r, g, b); - s +=3D 2; + addr +=3D 2; d +=3D 4; } while (--w !=3D 0); } =20 -static void vga_draw_line16_be(VGACommonState *s1, uint8_t *d, - const uint8_t *s, int width) +static void vga_draw_line16_be(VGACommonState *vga, uint8_t *d, + uint32_t addr, int width) { int w; uint32_t v, r, g, b; =20 w =3D width; do { - v =3D lduw_be_p((void *)s); + v =3D vga_read_word_be(vga, addr); r =3D (v >> 8) & 0xf8; g =3D (v >> 3) & 0xfc; b =3D (v << 3) & 0xf8; ((uint32_t *)d)[0] =3D rgb_to_pixel32(r, g, b); - s +=3D 2; + addr +=3D 2; d +=3D 4; } while (--w !=3D 0); } @@ -359,36 +385,36 @@ static void vga_draw_line16_be(VGACommonState *s1, ui= nt8_t *d, /* * 24 bit color */ -static void vga_draw_line24_le(VGACommonState *s1, uint8_t *d, - const uint8_t *s, int width) +static void vga_draw_line24_le(VGACommonState *vga, uint8_t *d, + uint32_t addr, int width) { int w; uint32_t r, g, b; =20 w =3D width; do { - b =3D s[0]; - g =3D s[1]; - r =3D s[2]; + b =3D vga_read_byte(vga, addr + 0); + g =3D vga_read_byte(vga, addr + 1); + r =3D vga_read_byte(vga, addr + 2); ((uint32_t *)d)[0] =3D rgb_to_pixel32(r, g, b); - s +=3D 3; + addr +=3D 3; d +=3D 4; } while (--w !=3D 0); } =20 -static void vga_draw_line24_be(VGACommonState *s1, uint8_t *d, - const uint8_t *s, int width) +static void vga_draw_line24_be(VGACommonState *vga, uint8_t *d, + uint32_t addr, int width) { int w; uint32_t r, g, b; =20 w =3D width; do { - r =3D s[0]; - g =3D s[1]; - b =3D s[2]; + r =3D vga_read_byte(vga, addr + 0); + g =3D vga_read_byte(vga, addr + 1); + b =3D vga_read_byte(vga, addr + 2); ((uint32_t *)d)[0] =3D rgb_to_pixel32(r, g, b); - s +=3D 3; + addr +=3D 3; d +=3D 4; } while (--w !=3D 0); } @@ -396,44 +422,36 @@ static void vga_draw_line24_be(VGACommonState *s1, ui= nt8_t *d, /* * 32 bit color */ -static void vga_draw_line32_le(VGACommonState *s1, uint8_t *d, - const uint8_t *s, int width) +static void vga_draw_line32_le(VGACommonState *vga, uint8_t *d, + uint32_t addr, int width) { -#ifndef HOST_WORDS_BIGENDIAN - memcpy(d, s, width * 4); -#else int w; uint32_t r, g, b; =20 w =3D width; do { - b =3D s[0]; - g =3D s[1]; - r =3D s[2]; + b =3D vga_read_byte(vga, addr + 0); + g =3D vga_read_byte(vga, addr + 1); + r =3D vga_read_byte(vga, addr + 2); ((uint32_t *)d)[0] =3D rgb_to_pixel32(r, g, b); - s +=3D 4; + addr +=3D 4; d +=3D 4; } while (--w !=3D 0); -#endif } =20 -static void vga_draw_line32_be(VGACommonState *s1, uint8_t *d, - const uint8_t *s, int width) +static void vga_draw_line32_be(VGACommonState *vga, uint8_t *d, + uint32_t addr, int width) { -#ifdef HOST_WORDS_BIGENDIAN - memcpy(d, s, width * 4); -#else int w; uint32_t r, g, b; =20 w =3D width; do { - r =3D s[1]; - g =3D s[2]; - b =3D s[3]; + r =3D vga_read_byte(vga, addr + 1); + g =3D vga_read_byte(vga, addr + 2); + b =3D vga_read_byte(vga, addr + 3); ((uint32_t *)d)[0] =3D rgb_to_pixel32(r, g, b); - s +=3D 4; + addr +=3D 4; d +=3D 4; } while (--w !=3D 0); -#endif } diff --git a/hw/display/vga_int.h b/hw/display/vga_int.h index dd6c958da3..ad34a1f048 100644 --- a/hw/display/vga_int.h +++ b/hw/display/vga_int.h @@ -94,6 +94,7 @@ typedef struct VGACommonState { uint32_t vram_size; uint32_t vram_size_mb; /* property */ uint32_t vbe_size; + uint32_t vbe_size_mask; uint32_t latch; bool has_chain4_alias; MemoryRegion chain4_alias; diff --git a/hw/display/vga.c b/hw/display/vga.c index ad7a46563c..6fc8c8708a 100644 --- a/hw/display/vga.c +++ b/hw/display/vga.c @@ -1005,7 +1005,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, u= int32_t val) } =20 typedef void vga_draw_line_func(VGACommonState *s1, uint8_t *d, - const uint8_t *s, int width); + uint32_t srcaddr, int width); =20 #include "vga-helpers.h" =20 @@ -1666,7 +1666,7 @@ static void vga_draw_graphic(VGACommonState *s, int f= ull_update) if (y_start < 0) y_start =3D y; if (!(is_buffer_shared(surface))) { - vga_draw_line(s, d, s->vram_ptr + addr, width); + vga_draw_line(s, d, addr, width); if (s->cursor_draw_line) s->cursor_draw_line(s, d, y); } @@ -2170,6 +2170,7 @@ void vga_common_init(VGACommonState *s, Object *obj, = bool global_vmstate) if (!s->vbe_size) { s->vbe_size =3D s->vram_size; } + s->vbe_size_mask =3D s->vbe_size - 1; =20 s->is_vbe_vmstate =3D 1; memory_region_init_ram_nomigrate(&s->vram, obj, "vga.vram", s->vram_si= ze, --=20 2.9.3 From nobody Tue Nov 4 08:06:06 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1504273088827837.3180567165962; Fri, 1 Sep 2017 06:38:08 -0700 (PDT) Received: from localhost ([::1]:40640 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dnm99-0005fg-NO for importer@patchew.org; Fri, 01 Sep 2017 09:38:07 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54762) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dnlWD-0001yr-9t for qemu-devel@nongnu.org; Fri, 01 Sep 2017 08:57:58 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dnlW8-0007pX-PN for qemu-devel@nongnu.org; Fri, 01 Sep 2017 08:57:53 -0400 Received: from mx1.redhat.com ([209.132.183.28]:36800) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dnlW8-0007pL-J7 for qemu-devel@nongnu.org; Fri, 01 Sep 2017 08:57:48 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 923D7267FB for ; Fri, 1 Sep 2017 12:57:47 +0000 (UTC) Received: from sirius.home.kraxel.org (ovpn-116-70.ams2.redhat.com [10.36.116.70]) by smtp.corp.redhat.com (Postfix) with ESMTP id 938FE77C13; Fri, 1 Sep 2017 12:57:44 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 65BC216A898; Fri, 1 Sep 2017 14:57:42 +0200 (CEST) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 923D7267FB Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=kraxel@redhat.com From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Fri, 1 Sep 2017 14:57:40 +0200 Message-Id: <20170901125742.4249-4-kraxel@redhat.com> In-Reply-To: <20170901125742.4249-1-kraxel@redhat.com> References: <20170901125742.4249-1-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Fri, 01 Sep 2017 12:57:47 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 3/5] qxl: drop mono cursor support X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Gerd Hoffmann Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The chunk size sanity check in qxl_render_cursor works for SPICE_CURSOR_TYPE_ALPHA cursors only. So support for SPICE_CURSOR_TYPE_MONO cursors must be broken for ages without anyone noticing. Most likely it simply isn't used any more by guest drivers. Drop the dead code. Signed-off-by: Gerd Hoffmann Message-id: 20170828123933.30323-2-kraxel@redhat.com Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- hw/display/qxl-render.c | 9 --------- 1 file changed, 9 deletions(-) diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c index 9ad9d9e0f5..e1b3f05ecb 100644 --- a/hw/display/qxl-render.c +++ b/hw/display/qxl-render.c @@ -207,7 +207,6 @@ void qxl_render_update_area_done(PCIQXLDevice *qxl, QXL= Cookie *cookie) static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor) { QEMUCursor *c; - uint8_t *image, *mask; size_t size; =20 c =3D cursor_alloc(cursor->header.width, cursor->header.height); @@ -221,14 +220,6 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCu= rsor *cursor) cursor_print_ascii_art(c, "qxl/alpha"); } break; - case SPICE_CURSOR_TYPE_MONO: - mask =3D cursor->chunk.data; - image =3D mask + cursor_get_mono_bpl(c) * c->width; - cursor_set_mono(c, 0xffffff, 0x000000, image, 1, mask); - if (qxl->debug > 2) { - cursor_print_ascii_art(c, "qxl/mono"); - } - break; default: fprintf(stderr, "%s: not implemented: type %d\n", __FUNCTION__, cursor->header.type); --=20 2.9.3 From nobody Tue Nov 4 08:06:06 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1504272470330979.8245698362225; Fri, 1 Sep 2017 06:27:50 -0700 (PDT) Received: from localhost ([::1]:40131 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dnlzB-0003nX-8Q for importer@patchew.org; Fri, 01 Sep 2017 09:27:49 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54736) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dnlWB-0001wz-5w for qemu-devel@nongnu.org; Fri, 01 Sep 2017 08:57:55 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dnlW6-0007oq-MM for qemu-devel@nongnu.org; Fri, 01 Sep 2017 08:57:51 -0400 Received: from mx1.redhat.com ([209.132.183.28]:39230) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dnlW6-0007oO-Gd for qemu-devel@nongnu.org; Fri, 01 Sep 2017 08:57:46 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7545F129A for ; Fri, 1 Sep 2017 12:57:45 +0000 (UTC) Received: from sirius.home.kraxel.org (ovpn-116-70.ams2.redhat.com [10.36.116.70]) by smtp.corp.redhat.com (Postfix) with ESMTP id A0B4C60317; Fri, 1 Sep 2017 12:57:44 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 6C75216A899; Fri, 1 Sep 2017 14:57:42 +0200 (CEST) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 7545F129A Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=kraxel@redhat.com From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Fri, 1 Sep 2017 14:57:41 +0200 Message-Id: <20170901125742.4249-5-kraxel@redhat.com> In-Reply-To: <20170901125742.4249-1-kraxel@redhat.com> References: <20170901125742.4249-1-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Fri, 01 Sep 2017 12:57:45 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 4/5] qxl: add support for chunked cursors. X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Gerd Hoffmann Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Signed-off-by: Gerd Hoffmann Message-id: 20170828123933.30323-3-kraxel@redhat.com Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- hw/display/qxl-render.c | 36 +++++++++++++++++++++++++++++------- 1 file changed, 29 insertions(+), 7 deletions(-) diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c index e1b3f05ecb..90e0865618 100644 --- a/hw/display/qxl-render.c +++ b/hw/display/qxl-render.c @@ -204,7 +204,33 @@ void qxl_render_update_area_done(PCIQXLDevice *qxl, QX= LCookie *cookie) g_free(cookie); } =20 -static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor) +static void qxl_unpack_chunks(void *dest, size_t size, PCIQXLDevice *qxl, + QXLDataChunk *chunk, uint32_t group_id) +{ + uint32_t max_chunks =3D 32; + size_t offset =3D 0; + size_t bytes; + + for (;;) { + bytes =3D MIN(size - offset, chunk->data_size); + memcpy(dest + offset, chunk->data, bytes); + offset +=3D bytes; + if (offset =3D=3D size) { + return; + } + chunk =3D qxl_phys2virt(qxl, chunk->next_chunk, group_id); + if (!chunk) { + return; + } + max_chunks--; + if (max_chunks =3D=3D 0) { + return; + } + } +} + +static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor, + uint32_t group_id) { QEMUCursor *c; size_t size; @@ -215,7 +241,7 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCur= sor *cursor) switch (cursor->header.type) { case SPICE_CURSOR_TYPE_ALPHA: size =3D sizeof(uint32_t) * cursor->header.width * cursor->header.= height; - memcpy(c->data, cursor->chunk.data, size); + qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id); if (qxl->debug > 2) { cursor_print_ascii_art(c, "qxl/alpha"); } @@ -259,11 +285,7 @@ int qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt= *ext) if (!cursor) { return 1; } - if (cursor->chunk.data_size !=3D cursor->data_size) { - fprintf(stderr, "%s: multiple chunks\n", __FUNCTION__); - return 1; - } - c =3D qxl_cursor(qxl, cursor); + c =3D qxl_cursor(qxl, cursor, ext->group_id); if (c =3D=3D NULL) { c =3D cursor_builtin_left_ptr(); } --=20 2.9.3 From nobody Tue Nov 4 08:06:06 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1504272953960166.12091550538298; Fri, 1 Sep 2017 06:35:53 -0700 (PDT) Received: from localhost ([::1]:40598 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dnm6y-0003xE-W1 for importer@patchew.org; Fri, 01 Sep 2017 09:35:53 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54739) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dnlWB-0001x2-6p for qemu-devel@nongnu.org; Fri, 01 Sep 2017 08:57:52 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dnlWA-0007q2-5Y for qemu-devel@nongnu.org; Fri, 01 Sep 2017 08:57:51 -0400 Received: from mx1.redhat.com ([209.132.183.28]:44762) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dnlW9-0007pf-Vx for qemu-devel@nongnu.org; Fri, 01 Sep 2017 08:57:50 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id E94538047F for ; Fri, 1 Sep 2017 12:57:48 +0000 (UTC) Received: from sirius.home.kraxel.org (ovpn-116-70.ams2.redhat.com [10.36.116.70]) by smtp.corp.redhat.com (Postfix) with ESMTP id E72A1A63AB; Fri, 1 Sep 2017 12:57:47 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 730BE16A89A; Fri, 1 Sep 2017 14:57:42 +0200 (CEST) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com E94538047F Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=kraxel@redhat.com From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Fri, 1 Sep 2017 14:57:42 +0200 Message-Id: <20170901125742.4249-6-kraxel@redhat.com> In-Reply-To: <20170901125742.4249-1-kraxel@redhat.com> References: <20170901125742.4249-1-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Fri, 01 Sep 2017 12:57:49 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 5/5] vga/migration: Update memory map in post_load X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "Dr. David Alan Gilbert" , Gerd Hoffmann Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: "Dr. David Alan Gilbert" After migration the chain4 alias mapping added by 80763888 (in 2011) might be missing, since there's no call to vga_update_memory_access in the post_load after the registers are updated. Add it back. Signed-off-by: Dr. David Alan Gilbert Reviewed-by: Juan Quintela Message-id: 20170804113329.13609-1-dgilbert@redhat.com Signed-off-by: Gerd Hoffmann Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- hw/display/vga.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/display/vga.c b/hw/display/vga.c index 6fc8c8708a..ed24ef7076 100644 --- a/hw/display/vga.c +++ b/hw/display/vga.c @@ -2050,6 +2050,7 @@ static int vga_common_post_load(void *opaque, int ver= sion_id) /* force refresh */ s->graphic_mode =3D -1; vbe_update_vgaregs(s); + vga_update_memory_access(s); return 0; } =20 --=20 2.9.3