- 14 6月, 2016 2 次提交
-
-
由 KONRAD Frederic 提交于
This is the implementation of the DisplayPort. It has an aux-bus to access dpcd and edid. Graphic plane is connected to the channel 3. Video plane is connected to the channel 0. Audio stream are connected to the channels 4 and 5. Signed-off-by: NKONRAD Frederic <fred.konrad@greensocs.com> Tested-By: NHyun Kwon <hyun.kwon@xilinx.com> Reviewed-by: NAlistair Francis <alistair.francis@xilinx.com> Message-id: 1465833014-21982-9-git-send-email-fred.konrad@greensocs.com [PMM: fixed format strings] Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
由 KONRAD Frederic 提交于
This introduces dpcd module. It wires on a aux-bus and can be accessed by the driver to get lane-speed, etc. Signed-off-by: NKONRAD Frederic <fred.konrad@greensocs.com> Reviewed-by: NAlistair Francis <alistair.francis@xilinx.com> Reviewed-by: NPeter Crosthwaite <crosthwaite.peter@gmail.com> Tested-By: NHyun Kwon <hyun.kwon@xilinx.com> Message-id: 1465833014-21982-6-git-send-email-fred.konrad@greensocs.com Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
- 07 6月, 2016 1 次提交
-
-
由 Laurent Vivier 提交于
Replace (((n) + (d) - 1) /(d)) by DIV_ROUND_UP(n,d). This patch is the result of coccinelle script scripts/coccinelle/round.cocci CC: Stefano Stabellini <sstabellini@kernel.org> Signed-off-by: NLaurent Vivier <lvivier@redhat.com> Reviewed-by: NStefano Stabellini <sstabellini@kernel.org> Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>
-
- 06 6月, 2016 5 次提交
-
-
由 Gerd Hoffmann 提交于
Store some additional state for cursor and resource backing storage, so we can write out and reload things. Implement vmsave+vmload for 2d mode. Continue blocking live migration in 3d/virgl mode. Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> Message-id: 1464009727-7753-1-git-send-email-kraxel@redhat.com
-
由 Gerd Hoffmann 提交于
vmsvga_fifo_run is called in regular intervals (on each display update) and will resume where it left off. So we can simply exit the loop, without having to worry about how processing will continue. Fixes: CVE-2016-4453 Cc: qemu-stable@nongnu.org Cc: P J P <ppandit@redhat.com> Reported-by: N李强 <liqiang6-s@360.cn> Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> Message-id: 1464592161-18348-5-git-send-email-kraxel@redhat.com
-
由 Gerd Hoffmann 提交于
The fifo is normal ram. So kvm vcpu threads and qemu iothread can access the fifo in parallel without syncronization. Which in turn implies we can't use the fifo pointers in-place because the guest can try changing them underneath us. So add shadows for them, to make sure the guest can't modify them after we've applied sanity checks. Fixes: CVE-2016-4454 Cc: qemu-stable@nongnu.org Cc: P J P <ppandit@redhat.com> Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> Message-id: 1464592161-18348-4-git-send-email-kraxel@redhat.com
-
由 Gerd Hoffmann 提交于
Make sure all fifo ptrs are within range. Fixes: CVE-2016-4454 Cc: qemu-stable@nongnu.org Cc: P J P <ppandit@redhat.com> Reported-by: N李强 <liqiang6-s@360.cn> Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> Message-id: 1464592161-18348-3-git-send-email-kraxel@redhat.com
-
由 Gerd Hoffmann 提交于
Sanity checks are applied when the fifo is enabled by the guest (SVGA_REG_CONFIG_DONE write). Which doesn't help much if the guest changes the fifo registers afterwards. Move the checks to vmsvga_fifo_length so they are done each time qemu is about to read from the fifo. Fixes: CVE-2016-4454 Cc: qemu-stable@nongnu.org Cc: P J P <ppandit@redhat.com> Reported-by: N李强 <liqiang6-s@360.cn> Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> Message-id: 1464592161-18348-2-git-send-email-kraxel@redhat.com
-
- 03 6月, 2016 1 次提交
-
-
由 Gerd Hoffmann 提交于
Commit "ca58b45f ui/virtio-gpu: add and use qemu_create_displaysurface_pixman" breaks scanouts which use a region of the underlying resource only. So, we need another way to handle the underlying issue. Lets create a new pixman image, grab a reference on the pixman providing the underlying storage, hook up a destroy callback which releases the reference. That way regions work again and releasing the backing storage should still be impossible thanks to the extra reference we are holding. Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> Reviewed-by: NMarc-André Lureau <marcandre.lureau@redhat.com> Message-id: 1464597655-26341-1-git-send-email-kraxel@redhat.com
-
- 23 5月, 2016 7 次提交
-
-
由 Gerd Hoffmann 提交于
Commit "fd3c136b vga: make sure vga register setup for vbe stays intact (CVE-2016-3712)." causes a regression. The win7 installer is unhappy because it can't freely modify vga registers any more while in vbe mode. This patch introduces a new sr_vbe register set. The vbe_update_vgaregs will fill sr_vbe[] instead of sr[]. Normal vga register reads and writes go to sr[]. Any sr register read access happens through a new sr() helper function which will read from sr_vbe[] with vbe active and from sr[] otherwise. This way we can allow guests update sr[] registers as they want, without allowing them disrupt vbe video modes that way. Cc: qemu-stable@nongnu.org Reported-by: NThomas Lamprecht <thomas@lamprecht.org> Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> Message-id: 1463475294-14119-1-git-send-email-kraxel@redhat.com
-
由 Marc-André Lureau 提交于
Fix off-by-one value check (0 is the first scanout). Signed-off-by: NMarc-André Lureau <marcandre.lureau@redhat.com> Message-id: 1463653560-26958-7-git-send-email-marcandre.lureau@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Marc-André Lureau 提交于
The value is defined in virtio_gpu.h already (changing from 4 to 16). Signed-off-by: NMarc-André Lureau <marcandre.lureau@redhat.com> Message-id: 1463653560-26958-6-git-send-email-marcandre.lureau@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Marc-André Lureau 提交于
The scanout id should not be above the configured num_scanouts. Signed-off-by: NMarc-André Lureau <marcandre.lureau@redhat.com> Message-id: 1463653560-26958-5-git-send-email-marcandre.lureau@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Marc-André Lureau 提交于
The value must be less than VIRTIO_GPU_MAX_SCANOUT. Signed-off-by: NMarc-André Lureau <marcandre.lureau@redhat.com> Message-id: 1463653560-26958-4-git-send-email-marcandre.lureau@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Marc-André Lureau 提交于
Signed-off-by: NMarc-André Lureau <marcandre.lureau@redhat.com> Message-id: 1463653560-26958-3-git-send-email-marcandre.lureau@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Marc-André Lureau 提交于
Before accessing the g->scanout array, in order to avoid potential out-of-bounds access. Signed-off-by: NMarc-André Lureau <marcandre.lureau@redhat.com> Message-id: 1463653560-26958-2-git-send-email-marcandre.lureau@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
- 19 5月, 2016 3 次提交
-
-
由 Paolo Bonzini 提交于
Move the inclusion out of hw/hw.h, most files do not need it. Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 Paolo Bonzini 提交于
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 Paolo Bonzini 提交于
Move it to the actual users. There are some inclusions of qemu/host-utils.h in headers, but they are all necessary. Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
- 13 5月, 2016 1 次提交
-
-
由 xiaoqiang.zhao 提交于
* Drop the old SysBus init function and use instance_init * Move graphic_console_init into realize stage Signed-off-by: Nxiaoqiang zhao <zxq_yx_007@163.com> Reviewed-by: NPeter Maydell <peter.maydell@linaro.org> Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>
-
- 12 5月, 2016 5 次提交
-
-
由 Peter Maydell 提交于
We no longer need to do the "multiply include this header" trick with blizzard_template.h, and it is only used in a single .c file, so just put its contents inline in blizzard.c. Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> Reviewed-by: NGerd Hoffmann <kraxel@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com> Message-id: 1462371352-21498-3-git-send-email-peter.maydell@linaro.org
-
由 Peter Maydell 提交于
Now that we can assume that only depth 32 is possible, there's no need for the COPY_PIXEL1 and PIXEL_TYPE macros, and the SKIP_PIXEL, COPY_PIXEL and SWAP_WORDS macros aren't used at all. Expand out COPY_PIXEL1 and PIXEL_TYPE where they are used, delete the unused macro definitions, and expand out the uses of glue(name_prefix, DEPTH). Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> Reviewed-by: NGerd Hoffmann <kraxel@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com> Message-id: 1462371352-21498-2-git-send-email-peter.maydell@linaro.org
-
由 xiaoqiang zhao 提交于
* Drop the old SysBus init function and use instance_init * Move graphic_console_init into realize stage Signed-off-by: Nxiaoqiang zhao <zxq_yx_007@163.com> Message-id: 1462417489-28603-2-git-send-email-zxq_yx_007@163.com Reviewed-by: NPeter Maydell <peter.maydell@linaro.org> Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
由 Pooja Dhannawat 提交于
surface_bits_per_pixel() always returns 32 so, removing other dead code which is based on DEPTH !== 32 Signed-off-by: NPooja Dhannawat <dhannawatpooja1@gmail.com> Message-id: 1459260142-9144-1-git-send-email-dhannawatpooja1@gmail.com Reviewed-by: NPeter Maydell <peter.maydell@linaro.org> Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
由 Pooja Dhannawat 提交于
Removing support for DEPTH != 32 from blizzard template header and file that includes it, as macro DEPTH == 32 only used. Reviewed-by: NEric Blake <eblake@redhat.com> Signed-off-by: NPooja Dhannawat <dhannawatpooja1@gmail.com> Message-id: 1458971873-2768-1-git-send-email-dhannawatpooja1@gmail.com Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
- 02 5月, 2016 5 次提交
-
-
由 Gerd Hoffmann 提交于
Call vbe_update_vgaregs() when the guest touches GFX, SEQ or CRT registers, to make sure the vga registers will always have the values needed by vbe mode. This makes sure the sanity checks applied by vbe_fixup_regs() are effective. Without this guests can muck with shift_control, can turn on planar vga modes or text mode emulation while VBE is active, making qemu take code paths meant for CGA compatibility, but with the very large display widths and heigts settable using VBE registers. Which is good for one or another buffer overflow. Not that critical as they typically read overflows happening somewhere in the display code. So guests can DoS by crashing qemu with a segfault, but it is probably not possible to break out of the VM. Fixes: CVE-2016-3712 Reported-by: NZuozhi Fzz <zuozhi.fzz@alibaba-inc.com> Reported-by: NP J P <ppandit@redhat.com> Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Gerd Hoffmann 提交于
Call the new vbe_update_vgaregs() function on vbe configuration changes, to make sure vga registers are up-to-date. Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Gerd Hoffmann 提交于
When enabling vbe mode qemu will setup a bunch of vga registers to make sure the vga emulation operates in correct mode for a linear framebuffer. Move that code to a separate function so we can call it from other places too. Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Gerd Hoffmann 提交于
Makes code a bit easier to read. Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Gerd Hoffmann 提交于
vga allows banked access to video memory using the window at 0xa00000 and it supports a different access modes with different address calculations. The VBE bochs extentions support banked access too, using the VBE_DISPI_INDEX_BANK register. The code tries to take the different address calculations into account and applies different limits to VBE_DISPI_INDEX_BANK depending on the current access mode. Which is probably effective in stopping misprogramming by accident. But from a security point of view completely useless as an attacker can easily change access modes after setting the bank register. Drop the bogus check, add range checks to vga_mem_{readb,writeb} instead. Fixes: CVE-2016-3710 Reported-by: NQinghao Tang <luodalongde@gmail.com> Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
- 13 4月, 2016 1 次提交
-
-
由 Wei Liu 提交于
In commit ac0487e1 ("xenfb.c: avoid expensive loops when prod <= out_cons"), ">=" was used. In fact, a full ring is a legit state. Correct the test to use ">". Reported-by: N"Hao, Xudong" <xudong.hao@intel.com> Signed-off-by: NWei Liu <wei.liu2@citrix.com> Tested-by: N"Hao, Xudong" <xudong.hao@intel.com> Acked-by: NAnthony Perard <anthony.perard@citrix.com> Signed-off-by: NStefano Stabellini <sstabellini@kernel.org>
-
- 11 4月, 2016 2 次提交
-
-
由 Gerd Hoffmann 提交于
Feeling a bit nervous putting the full live migration support patch (https://patchwork.ozlabs.org/patch/606902/) in that late in the 2.6 devel cycle as it carries some non-trivial changes. So disable migration in case virtio-gpu is present for now. Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Gerd Hoffmann 提交于
Add a the new qemu_create_displaysurface_pixman function, to create a DisplaySurface backed by an existing pixman image. In that case there is no need to create a new pixman image pointing to the same backing storage. We can just use the existing image directly. This does not only simplify things a bit, but most importantly it gets the reference counting right, so the backing storage for the pixman image wouldn't be released underneath us. Use new function in virtio-gpu, where using it actually fixes use-after-free crashes. Cc: qemu-stable@nongnu.org Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> Message-id: 1459499240-742-1-git-send-email-kraxel@redhat.com
-
- 23 3月, 2016 3 次提交
-
-
由 Rutuja Shah 提交于
This patch replaces get_ticks_per_sec() calls with the macro NANOSECONDS_PER_SECOND. Also, as there are no callers, get_ticks_per_sec() is then removed. This replacement improves the readability and understandability of code. For example, timer_mod(fdctrl->result_timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + (get_ticks_per_sec() / 50)); NANOSECONDS_PER_SECOND makes it obvious that qemu_clock_get_ns matches the unit of the expression on the right side of the plus. Signed-off-by: NRutuja Shah <rutu.shah.26@gmail.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 Paolo Bonzini 提交于
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 Markus Armbruster 提交于
Commit 57cb38b3 included qapi/error.h into qemu/osdep.h to get the Error typedef. Since then, we've moved to include qemu/osdep.h everywhere. Its file comment explains: "To avoid getting into possible circular include dependencies, this file should not include any other QEMU headers, with the exceptions of config-host.h, compiler.h, os-posix.h and os-win32.h, all of which are doing a similar job to this file and are under similar constraints." qapi/error.h doesn't do a similar job, and it doesn't adhere to similar constraints: it includes qapi-types.h. That's in excess of 100KiB of crap most .c files don't actually need. Add the typedef to qemu/typedefs.h, and include that instead of qapi/error.h. Include qapi/error.h in .c files that need it and don't get it now. Include qapi-types.h in qom/object.h for uint16List. Update scripts/clean-includes accordingly. Update it further to match reality: replace config.h by config-target.h, add sysemu/os-posix.h, sysemu/os-win32.h. Update the list of includes in the qemu/osdep.h comment quoted above similarly. This reduces the number of objects depending on qapi/error.h from "all of them" to less than a third. Unfortunately, the number depending on qapi-types.h shrinks only a little. More work is needed for that one. Signed-off-by: NMarkus Armbruster <armbru@redhat.com> [Fix compilation without the spice devel packages. - Paolo] Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
- 17 3月, 2016 1 次提交
-
-
由 Grégory ESTRADE 提交于
The framebuffer occupies the upper portion of memory (64MiB by default), but it can only be controlled/configured via a system mailbox or property channel (to be added by a subsequent patch). Signed-off-by: NGrégory ESTRADE <gregory.estrade@gmail.com> Reviewed-by: NPeter Maydell <peter.maydell@linaro.org> Signed-off-by: NAndrew Baumann <Andrew.Baumann@microsoft.com> Message-id: 1457467526-8840-4-git-send-email-Andrew.Baumann@microsoft.com [AB: added Windows (BGR) support and cleanup/refactoring for upstream submission] Signed-off-by: NAndrew Baumann <Andrew.Baumann@microsoft.com> Reviewed-by: NPeter Maydell <peter.maydell@linaro.org> Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
- 01 3月, 2016 2 次提交
-
-
由 Gerd Hoffmann 提交于
This should fix a defect report from Coverity. Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 Paolo Bonzini 提交于
The "max" value is being compared with >=, but addr + width points to the first byte that will _not_ be copied. Laszlo suggested using a "greater than" comparison, instead of subtracting one like it is already done above for the height, so that max remains always positive. The mistake is "safe"---it will reject some blits, but will never cause out-of-bounds writes. Cc: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> Reviewed-by: NLaszlo Ersek <lersek@redhat.com> Message-id: 1455121059-18280-1-git-send-email-pbonzini@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
- 23 2月, 2016 1 次提交
-
-
由 Peter Maydell 提交于
Clean up includes so that osdep.h is included first and headers which it implies are not included manually. This commit was created with scripts/clean-includes. Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> Reviewed-by: NEric Blake <eblake@redhat.com>
-