* [Qemu-devel] [PULL 0/7] vga fixes
@ 2016-05-23 12:32 Gerd Hoffmann
2016-05-23 12:32 ` [Qemu-devel] [PULL 1/7] virtio-gpu: check early scanout id Gerd Hoffmann
` (7 more replies)
0 siblings, 8 replies; 9+ messages in thread
From: Gerd Hoffmann @ 2016-05-23 12:32 UTC (permalink / raw)
To: qemu-devel; +Cc: Gerd Hoffmann
Hi,
Here is the vga patch queue with a load of fixes:
* A collection of small virtio-gpu fixes by Marc-André Lureau
* Fix a regression caused by the CVE-2016-3712 fix.
please pull,
Gerd
The following changes since commit e081c24d30c1e7b29eb4450aa16d6a0da5782797:
Merge remote-tracking branch 'remotes/ehabkost/tags/machine-pull-request' into staging (2016-05-23 10:30:41 +0100)
are available in the git repository at:
git://git.kraxel.org/qemu tags/pull-vga-20160523-1
for you to fetch changes up to 94ef4f337fb614f18b765a8e0e878a4c23cdedcd:
vga: add sr_vbe register set (2016-05-23 14:28:25 +0200)
----------------------------------------------------------------
vga: fix CVE-2016-3712 regression, misc virtio-gpu fixes.
----------------------------------------------------------------
Gerd Hoffmann (1):
vga: add sr_vbe register set
Marc-André Lureau (6):
virtio-gpu: check early scanout id
virtio-vga: propagate on gpu realized error
virtio-gpu: check max_outputs value
virtio-gpu: check max_outputs only
virtio-gpu: use VIRTIO_GPU_MAX_SCANOUTS
virtio-gpu: fix ui idx check
hw/display/vga.c | 50 +++++++++++++++++++++++-------------------
hw/display/vga_int.h | 1 +
hw/display/virtio-gpu-3d.c | 5 +++--
hw/display/virtio-gpu.c | 28 +++++++++++++----------
hw/display/virtio-vga.c | 8 ++++++-
include/hw/virtio/virtio-gpu.h | 6 ++---
6 files changed, 57 insertions(+), 41 deletions(-)
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Qemu-devel] [PULL 1/7] virtio-gpu: check early scanout id
2016-05-23 12:32 [Qemu-devel] [PULL 0/7] vga fixes Gerd Hoffmann
@ 2016-05-23 12:32 ` Gerd Hoffmann
2016-05-23 12:32 ` [Qemu-devel] [PULL 2/7] virtio-vga: propagate on gpu realized error Gerd Hoffmann
` (6 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Gerd Hoffmann @ 2016-05-23 12:32 UTC (permalink / raw)
To: qemu-devel; +Cc: Marc-André Lureau, Gerd Hoffmann, Michael S. Tsirkin
From: Marc-André Lureau <marcandre.lureau@redhat.com>
Before accessing the g->scanout array, in order to avoid potential
out-of-bounds access.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1463653560-26958-2-git-send-email-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/display/virtio-gpu.c | 19 +++++++++----------
1 file changed, 9 insertions(+), 10 deletions(-)
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index 91345bd..64a60f2 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -508,6 +508,14 @@ static void virtio_gpu_set_scanout(VirtIOGPU *g,
trace_virtio_gpu_cmd_set_scanout(ss.scanout_id, ss.resource_id,
ss.r.width, ss.r.height, ss.r.x, ss.r.y);
+ if (ss.scanout_id >= VIRTIO_GPU_MAX_SCANOUT ||
+ ss.scanout_id >= g->conf.max_outputs) {
+ qemu_log_mask(LOG_GUEST_ERROR, "%s: illegal scanout id specified %d",
+ __func__, ss.scanout_id);
+ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_SCANOUT_ID;
+ return;
+ }
+
g->enable = 1;
if (ss.resource_id == 0) {
scanout = &g->scanout[ss.scanout_id];
@@ -517,8 +525,7 @@ static void virtio_gpu_set_scanout(VirtIOGPU *g,
res->scanout_bitmask &= ~(1 << ss.scanout_id);
}
}
- if (ss.scanout_id == 0 ||
- ss.scanout_id >= g->conf.max_outputs) {
+ if (ss.scanout_id == 0) {
qemu_log_mask(LOG_GUEST_ERROR,
"%s: illegal scanout id specified %d",
__func__, ss.scanout_id);
@@ -533,14 +540,6 @@ static void virtio_gpu_set_scanout(VirtIOGPU *g,
}
/* create a surface for this scanout */
- if (ss.scanout_id >= VIRTIO_GPU_MAX_SCANOUT ||
- ss.scanout_id >= g->conf.max_outputs) {
- qemu_log_mask(LOG_GUEST_ERROR, "%s: illegal scanout id specified %d",
- __func__, ss.scanout_id);
- cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_SCANOUT_ID;
- return;
- }
-
res = virtio_gpu_find_resource(g, ss.resource_id);
if (!res) {
qemu_log_mask(LOG_GUEST_ERROR, "%s: illegal resource specified %d\n",
--
1.8.3.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [Qemu-devel] [PULL 2/7] virtio-vga: propagate on gpu realized error
2016-05-23 12:32 [Qemu-devel] [PULL 0/7] vga fixes Gerd Hoffmann
2016-05-23 12:32 ` [Qemu-devel] [PULL 1/7] virtio-gpu: check early scanout id Gerd Hoffmann
@ 2016-05-23 12:32 ` Gerd Hoffmann
2016-05-23 12:32 ` [Qemu-devel] [PULL 3/7] virtio-gpu: check max_outputs value Gerd Hoffmann
` (5 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Gerd Hoffmann @ 2016-05-23 12:32 UTC (permalink / raw)
To: qemu-devel; +Cc: Marc-André Lureau, Gerd Hoffmann, Michael S. Tsirkin
From: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1463653560-26958-3-git-send-email-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/display/virtio-gpu-3d.c | 1 +
hw/display/virtio-vga.c | 8 +++++++-
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
index fa19294..20e8865 100644
--- a/hw/display/virtio-gpu-3d.c
+++ b/hw/display/virtio-gpu-3d.c
@@ -17,6 +17,7 @@
#include "trace.h"
#include "hw/virtio/virtio.h"
#include "hw/virtio/virtio-gpu.h"
+#include "qapi/error.h"
#ifdef CONFIG_VIRGL
diff --git a/hw/display/virtio-vga.c b/hw/display/virtio-vga.c
index e58b165..f49f8de 100644
--- a/hw/display/virtio-vga.c
+++ b/hw/display/virtio-vga.c
@@ -4,6 +4,7 @@
#include "ui/console.h"
#include "vga_int.h"
#include "hw/virtio/virtio-pci.h"
+#include "qapi/error.h"
/*
* virtio-vga: This extends VirtioPCIProxy.
@@ -89,6 +90,7 @@ static void virtio_vga_realize(VirtIOPCIProxy *vpci_dev, Error **errp)
VirtIOVGA *vvga = VIRTIO_VGA(vpci_dev);
VirtIOGPU *g = &vvga->vdev;
VGACommonState *vga = &vvga->vga;
+ Error *err = NULL;
uint32_t offset;
int i;
@@ -124,7 +126,11 @@ static void virtio_vga_realize(VirtIOPCIProxy *vpci_dev, Error **errp)
/* force virtio-1.0 */
vpci_dev->flags &= ~VIRTIO_PCI_FLAG_DISABLE_MODERN;
vpci_dev->flags |= VIRTIO_PCI_FLAG_DISABLE_LEGACY;
- object_property_set_bool(OBJECT(g), true, "realized", errp);
+ object_property_set_bool(OBJECT(g), true, "realized", &err);
+ if (err) {
+ error_propagate(errp, err);
+ return;
+ }
/* add stdvga mmio regions */
pci_std_vga_mmio_region_init(vga, &vpci_dev->modern_bar,
--
1.8.3.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [Qemu-devel] [PULL 3/7] virtio-gpu: check max_outputs value
2016-05-23 12:32 [Qemu-devel] [PULL 0/7] vga fixes Gerd Hoffmann
2016-05-23 12:32 ` [Qemu-devel] [PULL 1/7] virtio-gpu: check early scanout id Gerd Hoffmann
2016-05-23 12:32 ` [Qemu-devel] [PULL 2/7] virtio-vga: propagate on gpu realized error Gerd Hoffmann
@ 2016-05-23 12:32 ` Gerd Hoffmann
2016-05-23 12:32 ` [Qemu-devel] [PULL 4/7] virtio-gpu: check max_outputs only Gerd Hoffmann
` (4 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Gerd Hoffmann @ 2016-05-23 12:32 UTC (permalink / raw)
To: qemu-devel; +Cc: Marc-André Lureau, Gerd Hoffmann, Michael S. Tsirkin
From: Marc-André Lureau <marcandre.lureau@redhat.com>
The value must be less than VIRTIO_GPU_MAX_SCANOUT.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1463653560-26958-4-git-send-email-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/display/virtio-gpu.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index 64a60f2..7114021 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -20,6 +20,7 @@
#include "hw/virtio/virtio-gpu.h"
#include "hw/virtio/virtio-bus.h"
#include "qemu/log.h"
+#include "qapi/error.h"
static struct virtio_gpu_simple_resource*
virtio_gpu_find_resource(VirtIOGPU *g, uint32_t resource_id);
@@ -929,6 +930,11 @@ static void virtio_gpu_device_realize(DeviceState *qdev, Error **errp)
bool have_virgl;
int i;
+ if (g->conf.max_outputs > VIRTIO_GPU_MAX_SCANOUT) {
+ error_setg(errp, "invalid max_outputs > %d", VIRTIO_GPU_MAX_SCANOUT);
+ return;
+ }
+
g->config_size = sizeof(struct virtio_gpu_config);
g->virtio_config.num_scanouts = g->conf.max_outputs;
virtio_init(VIRTIO_DEVICE(g), "virtio-gpu", VIRTIO_ID_GPU,
--
1.8.3.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [Qemu-devel] [PULL 4/7] virtio-gpu: check max_outputs only
2016-05-23 12:32 [Qemu-devel] [PULL 0/7] vga fixes Gerd Hoffmann
` (2 preceding siblings ...)
2016-05-23 12:32 ` [Qemu-devel] [PULL 3/7] virtio-gpu: check max_outputs value Gerd Hoffmann
@ 2016-05-23 12:32 ` Gerd Hoffmann
2016-05-23 12:32 ` [Qemu-devel] [PULL 5/7] virtio-gpu: use VIRTIO_GPU_MAX_SCANOUTS Gerd Hoffmann
` (3 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Gerd Hoffmann @ 2016-05-23 12:32 UTC (permalink / raw)
To: qemu-devel; +Cc: Marc-André Lureau, Gerd Hoffmann, Michael S. Tsirkin
From: Marc-André Lureau <marcandre.lureau@redhat.com>
The scanout id should not be above the configured num_scanouts.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1463653560-26958-5-git-send-email-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/display/virtio-gpu-3d.c | 4 ++--
hw/display/virtio-gpu.c | 5 ++---
2 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
index 20e8865..433bf93 100644
--- a/hw/display/virtio-gpu-3d.c
+++ b/hw/display/virtio-gpu-3d.c
@@ -128,7 +128,7 @@ static void virgl_cmd_resource_flush(VirtIOGPU *g,
trace_virtio_gpu_cmd_res_flush(rf.resource_id,
rf.r.width, rf.r.height, rf.r.x, rf.r.y);
- for (i = 0; i < VIRTIO_GPU_MAX_SCANOUT; i++) {
+ for (i = 0; i < g->conf.max_outputs; i++) {
if (g->scanout[i].resource_id != rf.resource_id) {
continue;
}
@@ -147,7 +147,7 @@ static void virgl_cmd_set_scanout(VirtIOGPU *g,
trace_virtio_gpu_cmd_set_scanout(ss.scanout_id, ss.resource_id,
ss.r.width, ss.r.height, ss.r.x, ss.r.y);
- if (ss.scanout_id >= VIRTIO_GPU_MAX_SCANOUT) {
+ if (ss.scanout_id >= g->conf.max_outputs) {
qemu_log_mask(LOG_GUEST_ERROR, "%s: illegal scanout id specified %d",
__func__, ss.scanout_id);
cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_SCANOUT_ID;
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index 7114021..643dd92 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -466,7 +466,7 @@ static void virtio_gpu_resource_flush(VirtIOGPU *g,
pixman_region_init_rect(&flush_region,
rf.r.x, rf.r.y, rf.r.width, rf.r.height);
- for (i = 0; i < VIRTIO_GPU_MAX_SCANOUT; i++) {
+ for (i = 0; i < g->conf.max_outputs; i++) {
struct virtio_gpu_scanout *scanout;
pixman_region16_t region, finalregion;
pixman_box16_t *extents;
@@ -509,8 +509,7 @@ static void virtio_gpu_set_scanout(VirtIOGPU *g,
trace_virtio_gpu_cmd_set_scanout(ss.scanout_id, ss.resource_id,
ss.r.width, ss.r.height, ss.r.x, ss.r.y);
- if (ss.scanout_id >= VIRTIO_GPU_MAX_SCANOUT ||
- ss.scanout_id >= g->conf.max_outputs) {
+ if (ss.scanout_id >= g->conf.max_outputs) {
qemu_log_mask(LOG_GUEST_ERROR, "%s: illegal scanout id specified %d",
__func__, ss.scanout_id);
cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_SCANOUT_ID;
--
1.8.3.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [Qemu-devel] [PULL 5/7] virtio-gpu: use VIRTIO_GPU_MAX_SCANOUTS
2016-05-23 12:32 [Qemu-devel] [PULL 0/7] vga fixes Gerd Hoffmann
` (3 preceding siblings ...)
2016-05-23 12:32 ` [Qemu-devel] [PULL 4/7] virtio-gpu: check max_outputs only Gerd Hoffmann
@ 2016-05-23 12:32 ` Gerd Hoffmann
2016-05-23 12:32 ` [Qemu-devel] [PULL 6/7] virtio-gpu: fix ui idx check Gerd Hoffmann
` (2 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Gerd Hoffmann @ 2016-05-23 12:32 UTC (permalink / raw)
To: qemu-devel; +Cc: Marc-André Lureau, Gerd Hoffmann, Michael S. Tsirkin
From: Marc-André Lureau <marcandre.lureau@redhat.com>
The value is defined in virtio_gpu.h already (changing from 4 to 16).
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1463653560-26958-6-git-send-email-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/display/virtio-gpu.c | 4 ++--
include/hw/virtio/virtio-gpu.h | 6 ++----
2 files changed, 4 insertions(+), 6 deletions(-)
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index 643dd92..bc10d5d 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -929,8 +929,8 @@ static void virtio_gpu_device_realize(DeviceState *qdev, Error **errp)
bool have_virgl;
int i;
- if (g->conf.max_outputs > VIRTIO_GPU_MAX_SCANOUT) {
- error_setg(errp, "invalid max_outputs > %d", VIRTIO_GPU_MAX_SCANOUT);
+ if (g->conf.max_outputs > VIRTIO_GPU_MAX_SCANOUTS) {
+ error_setg(errp, "invalid max_outputs > %d", VIRTIO_GPU_MAX_SCANOUTS);
return;
}
diff --git a/include/hw/virtio/virtio-gpu.h b/include/hw/virtio/virtio-gpu.h
index 13b0ab0..1602a13 100644
--- a/include/hw/virtio/virtio-gpu.h
+++ b/include/hw/virtio/virtio-gpu.h
@@ -27,8 +27,6 @@
#define VIRTIO_ID_GPU 16
-#define VIRTIO_GPU_MAX_SCANOUT 4
-
struct virtio_gpu_simple_resource {
uint32_t resource_id;
uint32_t width;
@@ -98,8 +96,8 @@ typedef struct VirtIOGPU {
QTAILQ_HEAD(, virtio_gpu_ctrl_command) cmdq;
QTAILQ_HEAD(, virtio_gpu_ctrl_command) fenceq;
- struct virtio_gpu_scanout scanout[VIRTIO_GPU_MAX_SCANOUT];
- struct virtio_gpu_requested_state req_state[VIRTIO_GPU_MAX_SCANOUT];
+ struct virtio_gpu_scanout scanout[VIRTIO_GPU_MAX_SCANOUTS];
+ struct virtio_gpu_requested_state req_state[VIRTIO_GPU_MAX_SCANOUTS];
struct virtio_gpu_conf conf;
int enabled_output_bitmask;
--
1.8.3.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [Qemu-devel] [PULL 6/7] virtio-gpu: fix ui idx check
2016-05-23 12:32 [Qemu-devel] [PULL 0/7] vga fixes Gerd Hoffmann
` (4 preceding siblings ...)
2016-05-23 12:32 ` [Qemu-devel] [PULL 5/7] virtio-gpu: use VIRTIO_GPU_MAX_SCANOUTS Gerd Hoffmann
@ 2016-05-23 12:32 ` Gerd Hoffmann
2016-05-23 12:32 ` [Qemu-devel] [PULL 7/7] vga: add sr_vbe register set Gerd Hoffmann
2016-05-23 14:52 ` [Qemu-devel] [PULL 0/7] vga fixes Peter Maydell
7 siblings, 0 replies; 9+ messages in thread
From: Gerd Hoffmann @ 2016-05-23 12:32 UTC (permalink / raw)
To: qemu-devel; +Cc: Marc-André Lureau, Gerd Hoffmann, Michael S. Tsirkin
From: Marc-André Lureau <marcandre.lureau@redhat.com>
Fix off-by-one value check (0 is the first scanout).
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1463653560-26958-7-git-send-email-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/display/virtio-gpu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index bc10d5d..f3b0f14 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -879,7 +879,7 @@ static int virtio_gpu_ui_info(void *opaque, uint32_t idx, QemuUIInfo *info)
{
VirtIOGPU *g = opaque;
- if (idx > g->conf.max_outputs) {
+ if (idx >= g->conf.max_outputs) {
return -1;
}
--
1.8.3.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [Qemu-devel] [PULL 7/7] vga: add sr_vbe register set
2016-05-23 12:32 [Qemu-devel] [PULL 0/7] vga fixes Gerd Hoffmann
` (5 preceding siblings ...)
2016-05-23 12:32 ` [Qemu-devel] [PULL 6/7] virtio-gpu: fix ui idx check Gerd Hoffmann
@ 2016-05-23 12:32 ` Gerd Hoffmann
2016-05-23 14:52 ` [Qemu-devel] [PULL 0/7] vga fixes Peter Maydell
7 siblings, 0 replies; 9+ messages in thread
From: Gerd Hoffmann @ 2016-05-23 12:32 UTC (permalink / raw)
To: qemu-devel; +Cc: Gerd Hoffmann, qemu-stable
Commit "fd3c136 vga: make sure vga register setup for vbe stays intact
(CVE-2016-3712)." causes a regression. The win7 installer is unhappy
because it can't freely modify vga registers any more while in vbe mode.
This patch introduces a new sr_vbe register set. The vbe_update_vgaregs
will fill sr_vbe[] instead of sr[]. Normal vga register reads and
writes go to sr[]. Any sr register read access happens through a new
sr() helper function which will read from sr_vbe[] with vbe active and
from sr[] otherwise.
This way we can allow guests update sr[] registers as they want, without
allowing them disrupt vbe video modes that way.
Cc: qemu-stable@nongnu.org
Reported-by: Thomas Lamprecht <thomas@lamprecht.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1463475294-14119-1-git-send-email-kraxel@redhat.com
---
hw/display/vga.c | 50 ++++++++++++++++++++++++++++----------------------
hw/display/vga_int.h | 1 +
2 files changed, 29 insertions(+), 22 deletions(-)
diff --git a/hw/display/vga.c b/hw/display/vga.c
index 4a55ec6..9ebc54f 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -149,6 +149,11 @@ static inline bool vbe_enabled(VGACommonState *s)
return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED;
}
+static inline uint8_t sr(VGACommonState *s, int idx)
+{
+ return vbe_enabled(s) ? s->sr_vbe[idx] : s->sr[idx];
+}
+
static void vga_update_memory_access(VGACommonState *s)
{
hwaddr base, offset, size;
@@ -163,8 +168,8 @@ static void vga_update_memory_access(VGACommonState *s)
s->has_chain4_alias = false;
s->plane_updated = 0xf;
}
- if ((s->sr[VGA_SEQ_PLANE_WRITE] & VGA_SR02_ALL_PLANES) ==
- VGA_SR02_ALL_PLANES && s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
+ if ((sr(s, VGA_SEQ_PLANE_WRITE) & VGA_SR02_ALL_PLANES) ==
+ VGA_SR02_ALL_PLANES && sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
offset = 0;
switch ((s->gr[VGA_GFX_MISC] >> 2) & 3) {
case 0:
@@ -234,7 +239,7 @@ static void vga_precise_update_retrace_info(VGACommonState *s)
((s->cr[VGA_CRTC_OVERFLOW] >> 6) & 2)) << 8);
vretr_end_line = s->cr[VGA_CRTC_V_SYNC_END] & 0xf;
- clocking_mode = (s->sr[VGA_SEQ_CLOCK_MODE] >> 3) & 1;
+ clocking_mode = (sr(s, VGA_SEQ_CLOCK_MODE) >> 3) & 1;
clock_sel = (s->msr >> 2) & 3;
dots = (s->msr & 1) ? 8 : 9;
@@ -486,7 +491,6 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
printf("vga: write SR%x = 0x%02x\n", s->sr_index, val);
#endif
s->sr[s->sr_index] = val & sr_mask[s->sr_index];
- vbe_update_vgaregs(s);
if (s->sr_index == VGA_SEQ_CLOCK_MODE) {
s->update_retrace_info(s);
}
@@ -680,13 +684,13 @@ static void vbe_update_vgaregs(VGACommonState *s)
if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) {
shift_control = 0;
- s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
+ s->sr_vbe[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
} else {
shift_control = 2;
/* set chain 4 mode */
- s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
+ s->sr_vbe[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
/* activate all planes */
- s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
+ s->sr_vbe[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
}
s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) |
(shift_control << 5);
@@ -836,7 +840,7 @@ uint32_t vga_mem_readb(VGACommonState *s, hwaddr addr)
break;
}
- if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
+ if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
/* chain 4 mode : simplest access */
assert(addr < s->vram_size);
ret = s->vram_ptr[addr];
@@ -904,11 +908,11 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
break;
}
- if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
+ if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
/* chain 4 mode : simplest access */
plane = addr & 3;
mask = (1 << plane);
- if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
+ if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) {
assert(addr < s->vram_size);
s->vram_ptr[addr] = val;
#ifdef DEBUG_VGA_MEM
@@ -921,7 +925,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
/* odd/even mode (aka text mode mapping) */
plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1);
mask = (1 << plane);
- if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
+ if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) {
addr = ((addr & ~1) << 1) | plane;
if (addr >= s->vram_size) {
return;
@@ -996,7 +1000,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
do_write:
/* mask data according to sr[2] */
- mask = s->sr[VGA_SEQ_PLANE_WRITE];
+ mask = sr(s, VGA_SEQ_PLANE_WRITE);
s->plane_updated |= mask; /* only used to detect font change */
write_mask = mask16[mask];
if (addr * sizeof(uint32_t) >= s->vram_size) {
@@ -1152,10 +1156,10 @@ static void vga_get_text_resolution(VGACommonState *s, int *pwidth, int *pheight
/* total width & height */
cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1;
cwidth = 8;
- if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) {
+ if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) {
cwidth = 9;
}
- if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) {
+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) {
cwidth = 16; /* NOTE: no 18 pixel wide */
}
width = (s->cr[VGA_CRTC_H_DISP] + 1);
@@ -1197,7 +1201,7 @@ static void vga_draw_text(VGACommonState *s, int full_update)
int64_t now = qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL);
/* compute font data address (in plane 2) */
- v = s->sr[VGA_SEQ_CHARACTER_MAP];
+ v = sr(s, VGA_SEQ_CHARACTER_MAP);
offset = (((v >> 4) & 1) | ((v << 1) & 6)) * 8192 * 4 + 2;
if (offset != s->font_offsets[0]) {
s->font_offsets[0] = offset;
@@ -1506,11 +1510,11 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
}
if (shift_control == 0) {
- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
disp_width <<= 1;
}
} else if (shift_control == 1) {
- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
disp_width <<= 1;
}
}
@@ -1574,7 +1578,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
if (shift_control == 0) {
full_update |= update_palette16(s);
- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
v = VGA_DRAW_LINE4D2;
} else {
v = VGA_DRAW_LINE4;
@@ -1582,7 +1586,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
bits = 4;
} else if (shift_control == 1) {
full_update |= update_palette16(s);
- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
v = VGA_DRAW_LINE2D2;
} else {
v = VGA_DRAW_LINE2;
@@ -1629,7 +1633,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
#if 0
printf("w=%d h=%d v=%d line_offset=%d cr[0x09]=0x%02x cr[0x17]=0x%02x linecmp=%d sr[0x01]=0x%02x\n",
width, height, v, line_offset, s->cr[9], s->cr[VGA_CRTC_MODE],
- s->line_compare, s->sr[VGA_SEQ_CLOCK_MODE]);
+ s->line_compare, sr(s, VGA_SEQ_CLOCK_MODE));
#endif
addr1 = (s->start_addr * 4);
bwidth = (width * bits + 7) / 8;
@@ -1781,6 +1785,7 @@ void vga_common_reset(VGACommonState *s)
{
s->sr_index = 0;
memset(s->sr, '\0', sizeof(s->sr));
+ memset(s->sr_vbe, '\0', sizeof(s->sr_vbe));
s->gr_index = 0;
memset(s->gr, '\0', sizeof(s->gr));
s->ar_index = 0;
@@ -1883,10 +1888,10 @@ static void vga_update_text(void *opaque, console_ch_t *chardata)
/* total width & height */
cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1;
cw = 8;
- if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) {
+ if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) {
cw = 9;
}
- if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) {
+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) {
cw = 16; /* NOTE: no 18 pixel wide */
}
width = (s->cr[VGA_CRTC_H_DISP] + 1);
@@ -2053,6 +2058,7 @@ static int vga_common_post_load(void *opaque, int version_id)
/* force refresh */
s->graphic_mode = -1;
+ vbe_update_vgaregs(s);
return 0;
}
diff --git a/hw/display/vga_int.h b/hw/display/vga_int.h
index bdb43a5..3ce5544 100644
--- a/hw/display/vga_int.h
+++ b/hw/display/vga_int.h
@@ -98,6 +98,7 @@ typedef struct VGACommonState {
MemoryRegion chain4_alias;
uint8_t sr_index;
uint8_t sr[256];
+ uint8_t sr_vbe[256];
uint8_t gr_index;
uint8_t gr[256];
uint8_t ar_index;
--
1.8.3.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [Qemu-devel] [PULL 0/7] vga fixes
2016-05-23 12:32 [Qemu-devel] [PULL 0/7] vga fixes Gerd Hoffmann
` (6 preceding siblings ...)
2016-05-23 12:32 ` [Qemu-devel] [PULL 7/7] vga: add sr_vbe register set Gerd Hoffmann
@ 2016-05-23 14:52 ` Peter Maydell
7 siblings, 0 replies; 9+ messages in thread
From: Peter Maydell @ 2016-05-23 14:52 UTC (permalink / raw)
To: Gerd Hoffmann; +Cc: QEMU Developers
On 23 May 2016 at 13:32, Gerd Hoffmann <kraxel@redhat.com> wrote:
> Hi,
>
> Here is the vga patch queue with a load of fixes:
> * A collection of small virtio-gpu fixes by Marc-André Lureau
> * Fix a regression caused by the CVE-2016-3712 fix.
>
> please pull,
> Gerd
>
> The following changes since commit e081c24d30c1e7b29eb4450aa16d6a0da5782797:
>
> Merge remote-tracking branch 'remotes/ehabkost/tags/machine-pull-request' into staging (2016-05-23 10:30:41 +0100)
>
> are available in the git repository at:
>
>
> git://git.kraxel.org/qemu tags/pull-vga-20160523-1
>
> for you to fetch changes up to 94ef4f337fb614f18b765a8e0e878a4c23cdedcd:
>
> vga: add sr_vbe register set (2016-05-23 14:28:25 +0200)
>
> ----------------------------------------------------------------
> vga: fix CVE-2016-3712 regression, misc virtio-gpu fixes.
Applied, thanks.
-- PMM
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2016-05-23 14:53 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-05-23 12:32 [Qemu-devel] [PULL 0/7] vga fixes Gerd Hoffmann
2016-05-23 12:32 ` [Qemu-devel] [PULL 1/7] virtio-gpu: check early scanout id Gerd Hoffmann
2016-05-23 12:32 ` [Qemu-devel] [PULL 2/7] virtio-vga: propagate on gpu realized error Gerd Hoffmann
2016-05-23 12:32 ` [Qemu-devel] [PULL 3/7] virtio-gpu: check max_outputs value Gerd Hoffmann
2016-05-23 12:32 ` [Qemu-devel] [PULL 4/7] virtio-gpu: check max_outputs only Gerd Hoffmann
2016-05-23 12:32 ` [Qemu-devel] [PULL 5/7] virtio-gpu: use VIRTIO_GPU_MAX_SCANOUTS Gerd Hoffmann
2016-05-23 12:32 ` [Qemu-devel] [PULL 6/7] virtio-gpu: fix ui idx check Gerd Hoffmann
2016-05-23 12:32 ` [Qemu-devel] [PULL 7/7] vga: add sr_vbe register set Gerd Hoffmann
2016-05-23 14:52 ` [Qemu-devel] [PULL 0/7] vga fixes Peter Maydell
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.