summaryrefslogtreecommitdiffstats
path: root/hw/display/vga.c
Commit message (Collapse)AuthorAgeFilesLines
* hw/display/vga:Remove redundant statement in vga_draw_graphic()Chen Qun2020-09-011-1/+0Star
| | | | | | | | | | | | | | Clang static code analyzer show warning: hw/display/vga.c:1677:9: warning: Value stored to 'update' is never read update = full_update; ^ ~~~~~~~~~~~ Reported-by: Euler Robot <euler.robot@huawei.com> Signed-off-by: Chen Qun <kuhn.chenqun@huawei.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Li Qiang <liq3ea@gmail.com> Message-Id: <20200827110311.164316-11-kuhn.chenqun@huawei.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
* vga: cleanup mapping of VRAM for non-PCI VGAPaolo Bonzini2019-12-181-12/+0Star
| | | | | | | | | | | | | vga_init_vbe is now used only from ISA VGA cards. Since the alias is not needed anymore, remove it (effectively reverting commit 8294a64d7f, "vga: fix vram double-mapping with -vga std and -M pc-0.12", 2012-05-29) and the now unused vbe_mapped field of VGACommonState. The function now consists of a single memory_region_add_subregion call, so we can inline it; this avoids incorrect usage from PCI cards. Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com> Based-on: <05af415a-5058-98b4-4a12-9d093a30b1e3@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
* hw/display: Remove "rombar" hack from vga-pci and vmware_vgaThomas Huth2019-12-181-3/+1Star
| | | | | | | | | Now that the old pc-0.x machine types have been removed, we do not need the old "rombar" hacks anymore. Signed-off-by: Thomas Huth <thuth@redhat.com> Message-Id: <20191209125248.5849-5-thuth@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
* vga: move access helpers to separate include fileGerd Hoffmann2019-09-191-0/+1
| | | | | | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-id: 20190917111441.27405-2-kraxel@redhat.com
* Include hw/hw.h exactly where neededMarkus Armbruster2019-08-161-1/+0Star
| | | | | | | | | | | | | | | | In my "build everything" tree, changing hw/hw.h triggers a recompile of some 2600 out of 6600 objects (not counting tests and objects that don't depend on qemu/osdep.h). The previous commits have left only the declaration of hw_error() in hw/hw.h. This permits dropping most of its inclusions. Touching it now recompiles less than 200 objects. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Message-Id: <20190812052359.30071-19-armbru@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
* Include migration/vmstate.h lessMarkus Armbruster2019-08-161-0/+1
| | | | | | | | | | | | | | | | | | In my "build everything" tree, changing migration/vmstate.h triggers a recompile of some 2700 out of 6600 objects (not counting tests and objects that don't depend on qemu/osdep.h). hw/hw.h supposedly includes it for convenience. Several other headers include it just to get VMStateDescription. The previous commit made that unnecessary. Include migration/vmstate.h only where it's still needed. Touching it now recompiles only some 1600 objects. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Message-Id: <20190812052359.30071-16-armbru@redhat.com> Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
* Include sysemu/reset.h a lot lessMarkus Armbruster2019-08-161-0/+2
| | | | | | | | | | | | | | | | | | In my "build everything" tree, changing sysemu/reset.h triggers a recompile of some 2600 out of 6600 objects (not counting tests and objects that don't depend on qemu/osdep.h). The main culprit is hw/hw.h, which supposedly includes it for convenience. Include sysemu/reset.h only where it's needed. Touching it now recompiles less than 200 objects. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20190812052359.30071-9-armbru@redhat.com>
* avoid TABs in files that only contain a fewPaolo Bonzini2019-01-111-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Most files that have TABs only contain a handful of them. Change them to spaces so that we don't confuse people. disas, standard-headers, linux-headers and libdecnumber are imported from other projects and probably should be exempted from the check. Outside those, after this patch the following files still contain both 8-space and TAB sequences at the beginning of the line. Many of them have a majority of TABs, or were initially committed with all tabs. bsd-user/i386/target_syscall.h bsd-user/x86_64/target_syscall.h crypto/aes.c hw/audio/fmopl.c hw/audio/fmopl.h hw/block/tc58128.c hw/display/cirrus_vga.c hw/display/xenfb.c hw/dma/etraxfs_dma.c hw/intc/sh_intc.c hw/misc/mst_fpga.c hw/net/pcnet.c hw/sh4/sh7750.c hw/timer/m48t59.c hw/timer/sh_timer.c include/crypto/aes.h include/disas/bfd.h include/hw/sh4/sh.h libdecnumber/decNumber.c linux-headers/asm-generic/unistd.h linux-headers/linux/kvm.h linux-user/alpha/target_syscall.h linux-user/arm/nwfpe/double_cpdo.c linux-user/arm/nwfpe/fpa11_cpdt.c linux-user/arm/nwfpe/fpa11_cprt.c linux-user/arm/nwfpe/fpa11.h linux-user/flat.h linux-user/flatload.c linux-user/i386/target_syscall.h linux-user/ppc/target_syscall.h linux-user/sparc/target_syscall.h linux-user/syscall.c linux-user/syscall_defs.h linux-user/x86_64/target_syscall.h slirp/cksum.c slirp/if.c slirp/ip.h slirp/ip_icmp.c slirp/ip_icmp.h slirp/ip_input.c slirp/ip_output.c slirp/mbuf.c slirp/misc.c slirp/sbuf.c slirp/socket.c slirp/socket.h slirp/tcp_input.c slirp/tcpip.h slirp/tcp_output.c slirp/tcp_subr.c slirp/tcp_timer.c slirp/tftp.c slirp/udp.c slirp/udp.h target/cris/cpu.h target/cris/mmu.c target/cris/op_helper.c target/sh4/helper.c target/sh4/op_helper.c target/sh4/translate.c tcg/sparc/tcg-target.inc.c tests/tcg/cris/check_addo.c tests/tcg/cris/check_moveq.c tests/tcg/cris/check_swap.c tests/tcg/multiarch/test-mmap.c ui/vnc-enc-hextile-template.h ui/vnc-enc-zywrle.h util/envlist.c util/readline.c The following have only TABs: bsd-user/i386/target_signal.h bsd-user/sparc64/target_signal.h bsd-user/sparc64/target_syscall.h bsd-user/sparc/target_signal.h bsd-user/sparc/target_syscall.h bsd-user/x86_64/target_signal.h crypto/desrfb.c hw/audio/intel-hda-defs.h hw/core/uboot_image.h hw/sh4/sh7750_regnames.c hw/sh4/sh7750_regs.h include/hw/cris/etraxfs_dma.h linux-user/alpha/termbits.h linux-user/arm/nwfpe/fpopcode.h linux-user/arm/nwfpe/fpsr.h linux-user/arm/syscall_nr.h linux-user/arm/target_signal.h linux-user/cris/target_signal.h linux-user/i386/target_signal.h linux-user/linux_loop.h linux-user/m68k/target_signal.h linux-user/microblaze/target_signal.h linux-user/mips64/target_signal.h linux-user/mips/target_signal.h linux-user/mips/target_syscall.h linux-user/mips/termbits.h linux-user/ppc/target_signal.h linux-user/sh4/target_signal.h linux-user/sh4/termbits.h linux-user/sparc64/target_syscall.h linux-user/sparc/target_signal.h linux-user/x86_64/target_signal.h linux-user/x86_64/termbits.h pc-bios/optionrom/optionrom.h slirp/mbuf.h slirp/misc.h slirp/sbuf.h slirp/tcp.h slirp/tcp_timer.h slirp/tcp_var.h target/i386/svm.h target/sparc/asi.h target/xtensa/core-dc232b/xtensa-modules.inc.c target/xtensa/core-dc233c/xtensa-modules.inc.c target/xtensa/core-de212/core-isa.h target/xtensa/core-de212/xtensa-modules.inc.c target/xtensa/core-fsf/xtensa-modules.inc.c target/xtensa/core-sample_controller/core-isa.h target/xtensa/core-sample_controller/xtensa-modules.inc.c target/xtensa/core-test_kc705_be/core-isa.h target/xtensa/core-test_kc705_be/xtensa-modules.inc.c tests/tcg/cris/check_abs.c tests/tcg/cris/check_addc.c tests/tcg/cris/check_addcm.c tests/tcg/cris/check_addoq.c tests/tcg/cris/check_bound.c tests/tcg/cris/check_ftag.c tests/tcg/cris/check_int64.c tests/tcg/cris/check_lz.c tests/tcg/cris/check_openpf5.c tests/tcg/cris/check_sigalrm.c tests/tcg/cris/crisutils.h tests/tcg/cris/sys.c tests/tcg/i386/test-i386-ssse3.c ui/vgafont.h Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Message-Id: <20181213223737.11793-3-pbonzini@redhat.com> Reviewed-by: Aleksandar Markovic <amarkovic@wavecomp.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Wainer dos Santos Moschetta <wainersm@redhat.com> Acked-by: Richard Henderson <richard.henderson@linaro.org> Acked-by: Eric Blake <eblake@redhat.com> Acked-by: David Gibson <david@gibson.dropbear.id.au> Reviewed-by: Stefan Markovic <smarkovic@wavecomp.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
* use dpy_gfx_update_fullGerd Hoffmann2018-08-301-2/+1Star
| | | | | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 20180810132856.22833-1-kraxel@redhat.com
* Merge remote-tracking branch 'remotes/kraxel/tags/vga-20180703-pull-request' ↵Peter Maydell2018-07-031-2/+2
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | into staging vga: disable global_vmstate, virtio-gpu scanout tracking fixes. # gpg: Signature made Tue 03 Jul 2018 10:44:56 BST # gpg: using RSA key 4CB6D8EED3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" # Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138 * remotes/kraxel/tags/vga-20180703-pull-request: vga: disable global_vmstate for 3.0+ machine types virtio-gpu: disable scanout when backing resource is destroyed virtio-gpu: update old resource too. virtio-gpu: tweak scanout disable. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> # Conflicts: # hw/display/qxl.c # hw/display/vga-isa-mm.c
| * vga: disable global_vmstate for 3.0+ machine typesGerd Hoffmann2018-07-031-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Move global_vmstate from vga_common_init() parameter to VGACommonState field. Set global_vmstate to true for isa vga devices, so nothing changes here. virtio-vga and secondary-vga already set global_vmstate to false so no change here either. All other pci vga devices get a new global-vmstate property, defaulting to false. A compat property flips it to true for older machine types. With this in place you don't get a vmstate section naming conflict any more when adding multiple pci vga devices to your vm. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-Id: <20180702163345.17892-1-kraxel@redhat.com>
* | hw/display: Use the IEC binary prefix definitionsPhilippe Mathieu-Daudé2018-07-021-2/+3
|/ | | | | | | | | | | | | | | | It eases code review, unit is explicit. Patch generated using: $ git grep -E '(1024|2048|4096|8192|(<<|>>).?(10|20|30))' hw/ include/hw/ and modified manually. Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Message-Id: <20180625124238.25339-15-f4bug@amsat.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
* vga: cleanup surface handlingGerd Hoffmann2018-06-041-17/+19
| | | | | | | | | Just set the full_update flag if we need a new DisplaySurface. Create a new surface when the flag is set instead of having two places where qemu_create_displaysurface_from() is called. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 20180525131318.28437-1-kraxel@redhat.com
* vga: catch depth 0Gerd Hoffmann2018-05-241-5/+18
| | | | | | | | | | | | | | | | | depth == 0 is used to indicate 256 color modes. Our region calculation goes wrong in that case. So detect that and just take the safe code path we already have for the wraparound case. While being at it also catch depth == 15 (where our region size calculation goes wrong too). And make the comment more verbose, explaining what is going on here. Without this windows guest install might trigger an assert due to trying to check dirty bitmap outside the snapshot region. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1575541 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 20180514103117.21059-1-kraxel@redhat.com
* vga: fix region calculationGerd Hoffmann2018-03-121-0/+2
| | | | | | | | | | | | | | Typically the scanline length and the line offset are identical. But in case they are not our calculation for region_end is incorrect. Using line_offset is fine for all scanlines, except the last one where we have to use the actual scanline length. Fixes: CVE-2018-7550 Reported-by: Ross Lagerwall <ross.lagerwall@citrix.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> Tested-by: Ross Lagerwall <ross.lagerwall@citrix.com> Message-id: 20180309143704.13420-1-kraxel@redhat.com
* memory: hide memory_region_sync_dirty_bitmap behind DirtyBitmapSnapshotPaolo Bonzini2018-02-131-6/+0Star
| | | | | | | | Simplify the users of memory_region_snapshot_and_clear_dirty, so that they do not have to call memory_region_sync_dirty_bitmap explicitly. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
* vga: check the validation of memory addr when draw textlinzhecheng2018-01-251-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Start a vm with qemu-kvm -enable-kvm -vnc :66 -smp 1 -m 1024 -hda redhat_5.11.qcow2 -device pcnet -vga cirrus, then use VNC client to connect to VM, and excute the code below in guest OS will lead to qemu crash: int main() { iopl(3); srand(time(NULL)); int a,b; while(1){ a = rand()%0x100; b = 0x3c0 + (rand()%0x20); outb(a,b); } return 0; } The above code is writing the registers of VGA randomly. We can write VGA CRT controller registers index 0x0C or 0x0D (which is the start address register) to modify the the display memory address of the upper left pixel or character of the screen. The address may be out of the range of vga ram. So we should check the validation of memory address when reading or writing it to avoid segfault. Signed-off-by: linzhecheng <linzhecheng@huawei.com> Message-id: 20180111132724.13744-1-linzhecheng@huawei.com Fixes: CVE-2018-5683 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* hw/display/vga: extract public API from i386/pc to "hw/display/vga.h"Philippe Mathieu-Daudé2017-12-181-1/+1
| | | | | | | | and remove the old i386/pc dependency. Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
* hw/display/vga: "vga_int.h" requires "ui/console.h"Philippe Mathieu-Daudé2017-12-181-1/+0Star
| | | | | | | | | since The VGACommonState struct has a GraphicHwOps *hw_ops member, then remove the now unnecessary includes. Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
* hw/display/vga: "vga.h" only contains registers defs, rename it "vga_regs.h"Philippe Mathieu-Daudé2017-12-181-1/+1
| | | | | | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
* vga: fix region checks in wraparound caseGerd Hoffmann2017-11-101-2/+2
| | | | | | | Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Message-id: 20171030102830.4469-1-kraxel@redhat.com
* vga: add ram_addr_t castGerd Hoffmann2017-10-171-1/+1
| | | | | | | | Reported by Coverity. Fixes: CID 1381409 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 20171010141323.14049-4-kraxel@redhat.com
* vga: handle cirrus vbe mode wraparounds.Gerd Hoffmann2017-10-171-7/+21
| | | | | | | | | | | | | | | | | | | | Commit "3d90c62548 vga: stop passing pointers to vga_draw_line* functions" is incomplete. It doesn't handle the case that the vga rendering code tries to create a shared surface, i.e. a pixman image backed by vga video memory. That can not work in case the guest display wraps from end of video memory to the start. So force shadowing in that case. Also adjust the snapshot region calculation. Can trigger with cirrus only, when programming vbe modes using the bochs api (stdvga, also qxl and virtio-vga in vga compat mode) wrap arounds can't happen. Fixes: CVE-2017-13672 Fixes: 3d90c6254863693a6b13d918d2b8682e08bbc681 Cc: P J P <ppandit@redhat.com> Reported-by: David Buchanan <d@vidbuchanan.co.uk> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 20171010141323.14049-3-kraxel@redhat.com
* vga: drop line_offset variableGerd Hoffmann2017-10-171-4/+3Star
| | | | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* vga/migration: Update memory map in post_loadDr. David Alan Gilbert2017-09-011-0/+1
| | | | | | | | | | | After migration the chain4 alias mapping added by 80763888 (in 2011) might be missing, since there's no call to vga_update_memory_access in the post_load after the registers are updated. Add it back. Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Juan Quintela <quintela@redhat.com> Message-id: 20170804113329.13609-1-dgilbert@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* vga: stop passing pointers to vga_draw_line* functionsGerd Hoffmann2017-09-011-2/+3
| | | | | | | | | | | | | | | | | | Instead pass around the address (aka offset into vga memory). Add vga_read_* helper functions which apply vbe_size_mask to the address, to make sure the address stays within the valid range, similar to the cirrus blitter fixes (commits ffaf857778 and 026aeffcb4). Impact: DoS for privileged guest users. qemu crashes with a segfault, when hitting the guard page after vga memory allocation, while reading vga memory for display updates. Fixes: CVE-2017-13672 Cc: P J P <ppandit@redhat.com> Reported-by: David Buchanan <d@vidbuchanan.co.uk> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 20170828122906.18993-1-kraxel@redhat.com
* vga: fix display update region calculation (split screen)Gerd Hoffmann2017-09-011-2/+8
| | | | | | | | | | | | | | | vga display update mis-calculated the region for the dirty bitmap snapshot in case split screen mode is used. This can trigger an assert in cpu_physical_memory_snapshot_get_dirty(). Impact: DoS for privileged guest users. Fixes: CVE-2017-13673 Fixes: fec5e8c92becad223df9d972770522f64aafdb72 Cc: P J P <ppandit@redhat.com> Reported-by: David Buchanan <d@vidbuchanan.co.uk> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 20170828123307.15392-1-kraxel@redhat.com
* vga: use DIV_ROUND_UPMarc-André Lureau2017-08-311-1/+1
| | | | | | | | I used the clang-tidy qemu-round check to generate the fix: https://github.com/elmarco/clang-tools-extra Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Richard Henderson <rth@twiddle.net>
* memory: Rename memory_region_init_ram() to memory_region_init_ram_nomigrate()Peter Maydell2017-07-141-1/+1
| | | | | | | | | | Rename memory_region_init_ram() to memory_region_init_ram_nomigrate(). This leaves the way clear for us to provide a memory_region_init_ram() which does handle migration. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Message-id: 1499438577-7674-4-git-send-email-peter.maydell@linaro.org
* vmstate: error hint for failed equal checksHalil Pasic2017-06-281-1/+1
| | | | | | | | | | | | | | | | | In some cases a failing VMSTATE_*_EQUAL does not mean we detected a bug, but it's actually the best we can do. Especially in these cases a verbose error message is required. Let's introduce infrastructure for specifying a error hint to be used if equal check fails. Let's do this by adding a parameter to the _EQUAL macros called _err_hint. Also change all current users to pass NULL as last parameter so nothing changes for them. Signed-off-by: Halil Pasic <pasic@linux.vnet.ibm.com> Message-Id: <20170623144823.42936-1-pasic@linux.vnet.ibm.com> Reviewed-by: Juan Quintela <quintela@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
* vga: fix display update region calculationGerd Hoffmann2017-05-111-1/+1
| | | | | | | | | | | | vga display update mis-calculated the region for the dirty bitmap snapshot in case the scanlines are padded. This can triggere an assert in cpu_physical_memory_snapshot_get_dirty(). Fixes: fec5e8c92becad223df9d972770522f64aafdb72 Reported-by: Kevin Wolf <kwolf@redhat.com> Reported-by: 李强 <liqiang6-s@360.cn> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 20170509104839.19415-1-kraxel@redhat.com
* vga: make display updates thread safe.Gerd Hoffmann2017-04-241-19/+17Star
| | | | | | | | | | | | | | | | | | | | | | The vga code clears the dirty bits *after* reading the framebuffer memory. So if the guest framebuffer updates hits the race window between vga reading the framebuffer and vga clearing the dirty bits vga will miss that update Fix it by using the new memory_region_copy_and_clear_dirty() memory_region_copy_get_dirty() functions. That way we clear the dirty bitmap before reading the framebuffer. Any guest display updates happening in parallel will be properly tracked in the dirty bitmap then and the next display refresh will pick them up. Problem triggers with mttcg only. Before mttcg was merged tcg never ran in parallel to vga emulation. Using kvm will hide the problem too, due to qemu operating on a userspace copy of the kernel's dirty bitmap. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 20170421091632.30900-5-kraxel@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* vga: add vga_scanline_invalidated helperGerd Hoffmann2017-04-241-3/+11
| | | | | | | | | | | | | | | Add vga_scanline_invalidated helper to check whenever a scanline was invalidated. Add a sanity check to fix OOB read access for display heights larger than 2048. Only cirrus uses this, for hardware cursor rendering, so having this work properly for the first 2048 scanlines only shouldn't be a problem as the cirrus can't handle large resolutions anyway. Also changing the invalidated_y_table size would break live migration. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 20170421091632.30900-4-kraxel@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* vga: replace debug printf with trace pointsGerd Hoffmann2017-02-101-23/+4Star
| | | | | | | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 1486561893-26470-1-git-send-email-kraxel@redhat.com
* coccinelle: Remove unnecessary variables for function return valueEduardo Habkost2016-06-201-3/+1Star
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Use Coccinelle script to replace 'ret = E; return ret' with 'return E'. The script will do the substitution only when the function return type and variable type are the same. Manual fixups: * audio/audio.c: coding style of "read (...)" and "write (...)" * block/qcow2-cluster.c: wrap line to make it shorter * block/qcow2-refcount.c: change indentation of wrapped line * target-tricore/op_helper.c: fix coding style of "remainder|quotient" * target-mips/dsp_helper.c: reverted changes because I don't want to argue about checkpatch.pl * ui/qemu-pixman.c: fix line indentation * block/rbd.c: restore blank line between declarations and statements Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> Message-Id: <1465855078-19435-4-git-send-email-ehabkost@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> [Unused Coccinelle rule name dropped along with a redundant comment; whitespace touched up in block/qcow2-cluster.c; stale commit message paragraph deleted] Signed-off-by: Markus Armbruster <armbru@redhat.com>
* vga: add sr_vbe register setGerd Hoffmann2016-05-231-22/+28
| | | | | | | | | | | | | | | | | | | | Commit "fd3c136 vga: make sure vga register setup for vbe stays intact (CVE-2016-3712)." causes a regression. The win7 installer is unhappy because it can't freely modify vga registers any more while in vbe mode. This patch introduces a new sr_vbe register set. The vbe_update_vgaregs will fill sr_vbe[] instead of sr[]. Normal vga register reads and writes go to sr[]. Any sr register read access happens through a new sr() helper function which will read from sr_vbe[] with vbe active and from sr[] otherwise. This way we can allow guests update sr[] registers as they want, without allowing them disrupt vbe video modes that way. Cc: qemu-stable@nongnu.org Reported-by: Thomas Lamprecht <thomas@lamprecht.org> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 1463475294-14119-1-git-send-email-kraxel@redhat.com
* vga: make sure vga register setup for vbe stays intact (CVE-2016-3712).Gerd Hoffmann2016-05-021-0/+6
| | | | | | | | | | | | | | | | | | | | | | Call vbe_update_vgaregs() when the guest touches GFX, SEQ or CRT registers, to make sure the vga registers will always have the values needed by vbe mode. This makes sure the sanity checks applied by vbe_fixup_regs() are effective. Without this guests can muck with shift_control, can turn on planar vga modes or text mode emulation while VBE is active, making qemu take code paths meant for CGA compatibility, but with the very large display widths and heigts settable using VBE registers. Which is good for one or another buffer overflow. Not that critical as they typically read overflows happening somewhere in the display code. So guests can DoS by crashing qemu with a segfault, but it is probably not possible to break out of the VM. Fixes: CVE-2016-3712 Reported-by: Zuozhi Fzz <zuozhi.fzz@alibaba-inc.com> Reported-by: P J P <ppandit@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* vga: update vga register setup on vbe changesGerd Hoffmann2016-05-021-0/+1
| | | | | | | Call the new vbe_update_vgaregs() function on vbe configuration changes, to make sure vga registers are up-to-date. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* vga: factor out vga register setupGerd Hoffmann2016-05-021-34/+44
| | | | | | | | | When enabling vbe mode qemu will setup a bunch of vga registers to make sure the vga emulation operates in correct mode for a linear framebuffer. Move that code to a separate function so we can call it from other places too. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* vga: add vbe_enabled() helperGerd Hoffmann2016-05-021-4/+9
| | | | | | Makes code a bit easier to read. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* vga: fix banked access bounds checking (CVE-2016-3710)Gerd Hoffmann2016-05-021-6/+18
| | | | | | | | | | | | | | | | | | | | | | vga allows banked access to video memory using the window at 0xa00000 and it supports a different access modes with different address calculations. The VBE bochs extentions support banked access too, using the VBE_DISPI_INDEX_BANK register. The code tries to take the different address calculations into account and applies different limits to VBE_DISPI_INDEX_BANK depending on the current access mode. Which is probably effective in stopping misprogramming by accident. But from a security point of view completely useless as an attacker can easily change access modes after setting the bank register. Drop the bogus check, add range checks to vga_mem_{readb,writeb} instead. Fixes: CVE-2016-3710 Reported-by: Qinghao Tang <luodalongde@gmail.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* Replaced get_tick_per_sec() by NANOSECONDS_PER_SECONDRutuja Shah2016-03-221-3/+3
| | | | | | | | | | | | | | | | | | This patch replaces get_ticks_per_sec() calls with the macro NANOSECONDS_PER_SECOND. Also, as there are no callers, get_ticks_per_sec() is then removed. This replacement improves the readability and understandability of code. For example, timer_mod(fdctrl->result_timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + (get_ticks_per_sec() / 50)); NANOSECONDS_PER_SECOND makes it obvious that qemu_clock_get_ns matches the unit of the expression on the right side of the plus. Signed-off-by: Rutuja Shah <rutu.shah.26@gmail.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
* include/qemu/osdep.h: Don't include qapi/error.hMarkus Armbruster2016-03-221-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 57cb38b included qapi/error.h into qemu/osdep.h to get the Error typedef. Since then, we've moved to include qemu/osdep.h everywhere. Its file comment explains: "To avoid getting into possible circular include dependencies, this file should not include any other QEMU headers, with the exceptions of config-host.h, compiler.h, os-posix.h and os-win32.h, all of which are doing a similar job to this file and are under similar constraints." qapi/error.h doesn't do a similar job, and it doesn't adhere to similar constraints: it includes qapi-types.h. That's in excess of 100KiB of crap most .c files don't actually need. Add the typedef to qemu/typedefs.h, and include that instead of qapi/error.h. Include qapi/error.h in .c files that need it and don't get it now. Include qapi-types.h in qom/object.h for uint16List. Update scripts/clean-includes accordingly. Update it further to match reality: replace config.h by config-target.h, add sysemu/os-posix.h, sysemu/os-win32.h. Update the list of includes in the qemu/osdep.h comment quoted above similarly. This reduces the number of objects depending on qapi/error.h from "all of them" to less than a third. Unfortunately, the number depending on qapi-types.h shrinks only a little. More work is needed for that one. Signed-off-by: Markus Armbruster <armbru@redhat.com> [Fix compilation without the spice devel packages. - Paolo] Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
* hw/display: Clean up includesPeter Maydell2016-01-291-0/+1
| | | | | | | | | | Clean up includes so that osdep.h is included first and headers which it implies are not included manually. This commit was created with scripts/clean-includes. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1453832250-766-21-git-send-email-peter.maydell@linaro.org
* ui/curses: Fix color attribute of monitor for cursesOGAWA Hirofumi2016-01-081-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Current text_console_update() writes totally broken color attributes to console_write_ch(). The format now is writing, [WRONG] bold << 21 | fg << 12 | bg << 8 | char fg == 3bits curses color number bg == 3bits curses color number I can't see this format is where come from. Anyway, this doesn't work at all. What curses expects is actually (and vga.c is using), [RIGHT] bold << 21 | bg << 11 | fg << 8 | char fg == 3bits vga color number bg == 3bits vga color number And curses set COLOR_PAIR() up to match this format, and curses's chtype. I.e, bold | color_pair | char color_pair == (bg << 3 | fg) To fix, this simply uses VGA color number everywhere except curses.c internal. Then, convert it to above [RIGHT] format to write by console_write_ch(). And as bonus, this reduces to expose curses define to other parts (removes COLOR_* from console.c). [Tested the first line is displayed as white on blue back for monitor in curses console] Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp> Message-id: 87r3j95407.fsf@mail.parknet.co.jp Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* Fix bad error handling after memory_region_init_ram()Markus Armbruster2015-09-181-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Symptom: $ qemu-system-x86_64 -m 10000000 Unexpected error in ram_block_add() at /work/armbru/qemu/exec.c:1456: upstream-qemu: cannot set up guest memory 'pc.ram': Cannot allocate memory Aborted (core dumped) Root cause: commit ef701d7 screwed up handling of out-of-memory conditions. Before the commit, we report the error and exit(1), in one place, ram_block_add(). The commit lifts the error handling up the call chain some, to three places. Fine. Except it uses &error_abort in these places, changing the behavior from exit(1) to abort(), and thus undoing the work of commit 3922825 "exec: Don't abort when we can't allocate guest memory". The three places are: * memory_region_init_ram() Commit 4994653 (right after commit ef701d7) lifted the error handling further, through memory_region_init_ram(), multiplying the incorrect use of &error_abort. Later on, imitation of existing (bad) code may have created more. * memory_region_init_ram_ptr() The &error_abort is still there. * memory_region_init_rom_device() Doesn't need fixing, because commit 33e0eb5 (soon after commit ef701d7) lifted the error handling further, and in the process changed it from &error_abort to passing it up the call chain. Correct, because the callers are realize() methods. Fix the error handling after memory_region_init_ram() with a Coccinelle semantic patch: @r@ expression mr, owner, name, size, err; position p; @@ memory_region_init_ram(mr, owner, name, size, ( - &error_abort + &error_fatal | err@p ) ); @script:python@ p << r.p; @@ print "%s:%s:%s" % (p[0].file, p[0].line, p[0].column) When the last argument is &error_abort, it gets replaced by &error_fatal. This is the fix. If the last argument is anything else, its position is reported. This lets us check the fix is complete. Four positions get reported: * ram_backend_memory_alloc() Error is passed up the call chain, ultimately through user_creatable_complete(). As far as I can tell, it's callers all handle the error sanely. * fsl_imx25_realize(), fsl_imx31_realize(), dp8393x_realize() DeviceClass.realize() methods, errors handled sanely further up the call chain. We're good. Test case again behaves: $ qemu-system-x86_64 -m 10000000 qemu-system-x86_64: cannot set up guest memory 'pc.ram': Cannot allocate memory [Exit 1 ] The next commits will repair the rest of commit ef701d7's damage. Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <1441983105-26376-3-git-send-email-armbru@redhat.com> Reviewed-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
* migration: Use normal VMStateDescriptions for SubsectionsJuan Quintela2015-06-121-7/+4Star
| | | | | | | | | | | | | | | | We create optional sections with this patch. But we already have optional subsections. Instead of having two mechanism that do the same, we can just generalize it. For subsections we just change: - Add a needed function to VMStateDescription - Remove VMStateSubsection (after removal of the needed function it is just a VMStateDescription) - Adjust the whole tree, moving the needed function to the corresponding VMStateDescription Signed-off-by: Juan Quintela <quintela@redhat.com>
* Fix remaining warnings from Sparse (void return)Stefan Weil2015-03-191-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | Sparse report: hw/display/vga.c:2000:5: warning: returning void-valued expression hw/intc/arm_gic.c:707:9: warning: returning void-valued expression hw/intc/etraxfs_pic.c:138:9: warning: returning void-valued expression hw/nvram/fw_cfg.c:475:5: warning: returning void-valued expression hw/timer/a9gtimer.c:124:5: warning: returning void-valued expression hw/tpm/tpm_tis.c:794:5: warning: returning void-valued expression hw/usb/hcd-musb.c:558:9: warning: returning void-valued expression hw/usb/hcd-musb.c:776:13: warning: returning void-valued expression hw/usb/hcd-musb.c:867:5: warning: returning void-valued expression hw/usb/hcd-musb.c:932:5: warning: returning void-valued expression include/qom/cpu.h:584:5: warning: returning void-valued expression monitor.c:4686:13: warning: returning void-valued expression monitor.c:4690:13: warning: returning void-valued expression Cc: Edgar E. Iglesias <edgar.iglesias@gmail.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Andreas Färber <afaerber@suse.de> Cc: Luiz Capitulino <lcapitulino@redhat.com> Signed-off-by: Stefan Weil <sw@weilnetz.de> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
* vga: refactor vram_size clamping and roundingRadim Krčmář2015-03-031-7/+15
| | | | | | | | | | Make the code a bit more obvious. We don't have min/max, so a general helper for clamp probably isn't acceptable either. Signed-off-by: Radim Krčmář <rkrcmar@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* spice: fix invalid memory access to vga.vramRadim Krčmář2015-03-031-2/+2
| | | | | | | | | | | | | | | | | vga_common_init() doesn't allow more than 256 MiB vram size and silently shrinks any larger value. qxl_dirty_surfaces() used the unshrinked size via qxl->shadow_rom.surface0_area_size when accessing the memory, which resulted in segfault. Add a workaround for this case and an assert if it happens again. We have to bump the vga memory limit too, because 256 MiB wouldn't have allowed 8k (it requires more than 128 MiB). 1024 MiB doesn't work, but 512 MiB seems fine. Proposed-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Radim Krčmář <rkrcmar@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>