aboutsummaryrefslogtreecommitdiff
path: root/hw/display/qxl-render.c
AgeCommit message (Collapse)Author
2023-03-13ui: rename cursor_{put->unref}Marc-André Lureau
The naming is more conventional in QEMU. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2022-11-29hw/display/qxl: Pass requested buffer size to qxl_phys2virt()Philippe Mathieu-Daudé
Currently qxl_phys2virt() doesn't check for buffer overrun. In order to do so in the next commit, pass the buffer size as argument. For QXLCursor in qxl_render_cursor() -> qxl_cursor() we verify the size of the chunked data ahead, checking we can access 'sizeof(QXLCursor) + chunk->data_size' bytes. Since in the SPICE_CURSOR_TYPE_MONO case the cursor is assumed to fit in one chunk, no change are required. In SPICE_CURSOR_TYPE_ALPHA the ahead read is handled in qxl_unpack_chunks(). Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Message-Id: <20221128202741.4945-4-philmd@linaro.org>
2022-04-07ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206)Mauro Matteo Cascella
Prevent potential integer overflow by limiting 'width' and 'height' to 512x512. Also change 'datasize' type to size_t. Refer to security advisory https://starlabs.sg/advisories/22-4206/ for more information. Fixes: CVE-2021-4206 Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20220407081712.345609-1-mcascell@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2022-04-07display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207)Mauro Matteo Cascella
Avoid fetching 'width' and 'height' a second time to prevent possible race condition. Refer to security advisory https://starlabs.sg/advisories/22-4207/ for more information. Fixes: CVE-2021-4207 Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20220407081106.343235-1-mcascell@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2021-02-04qxl: also notify the rendering is done when skipping itMarc-André Lureau
Asynchronous handlers may be waiting for the graphic_hw_update_done() to be called in this case too. Fixes: 4d6316218 ("console: add graphic_hw_update_done()") Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20210201201422.446552-3-marcandre.lureau@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2020-01-02console: add graphic_hw_update_done()Marc-André Lureau
Add a function to be called when a graphic update is done. Declare the QXL renderer as async: render_update_cookie_num counts the number of outstanding updates, and graphic_hw_update_done() is called when it reaches none. (note: this is preliminary work for asynchronous screendump support) Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-08-16sysemu: Split sysemu/runstate.h off sysemu/sysemu.hMarkus Armbruster
sysemu/sysemu.h is a rather unfocused dumping ground for stuff related to the system-emulator. Evidence: * It's included widely: in my "build everything" tree, changing sysemu/sysemu.h still triggers a recompile of some 1100 out of 6600 objects (not counting tests and objects that don't depend on qemu/osdep.h, down from 5400 due to the previous two commits). * It pulls in more than a dozen additional headers. Split stuff related to run state management into its own header sysemu/runstate.h. Touching sysemu/sysemu.h now recompiles some 850 objects. qemu/uuid.h also drops from 1100 to 850, and qapi/qapi-types-run-state.h from 4400 to 4200. Touching new sysemu/runstate.h recompiles some 500 objects. Since I'm touching MAINTAINERS to add sysemu/runstate.h anyway, also add qemu/main-loop.h. Suggested-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20190812052359.30071-30-armbru@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> [Unbreak OS-X build]
2019-08-16Include sysemu/sysemu.h a lot lessMarkus Armbruster
In my "build everything" tree, changing sysemu/sysemu.h triggers a recompile of some 5400 out of 6600 objects (not counting tests and objects that don't depend on qemu/osdep.h). hw/qdev-core.h includes sysemu/sysemu.h since recent commit e965ffa70a "qdev: add qdev_add_vm_change_state_handler()". This is a bad idea: hw/qdev-core.h is widely included. Move the declaration of qdev_add_vm_change_state_handler() to sysemu/sysemu.h, and drop the problematic include from hw/qdev-core.h. Touching sysemu/sysemu.h now recompiles some 1800 objects. qemu/uuid.h also drops from 5400 to 1800. A few more headers show smaller improvement: qemu/notify.h drops from 5600 to 5200, qemu/timer.h from 5600 to 4500, and qapi/qapi-types-run-state.h from 5500 to 5000. Cc: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Message-Id: <20190812052359.30071-28-armbru@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
2018-09-27qxl: support mono cursors with inverted colorsPeter Wu
Monochrome cursors are still used by Windows guests with the QXL-WDDM-DOD driver. Such cursor types have one odd feature, inversion of colors. GDK does not seem to support it, so implement an alternative solution: fill the inverted pixels and add an outline to make the cursor more visible. Tested with the text cursor in Notepad and Windows 10. cursor_set_mono is also used by the vmware GPU, so add a special check to avoid breaking its 32bpp format (tested with Kubuntu 14.04.4). I was unable to find a guest which supports the 1bpp format with a vmware GPU. The old implementation was buggy and removed in v2.10.0-108-g79c5a10cdd ("qxl: drop mono cursor support"), this version improves upon that by adding bounds validation, clarifying the semantics of the two masks and adds a workaround for inverted colors support. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1611984 Signed-off-by: Peter Wu <peter@lekensteyn.nl> Message-id: 20180903145447.17142-1-peter@lekensteyn.nl [ kraxel: minor codestyle fix ] Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-09-27qxl: use guest_monitor_config for local renderer.Gerd Hoffmann
When processing monitor config from guest store head0 width and height for single-head configurations. Use these when creating the DisplaySurface in the local renderer. This fixes a rendering issue with wayland. Wayland rounds up the framebuffer width and height to a multiple of 64, so with odd resolutions (800x600 for example) the framebuffer is larger than the actual screen. The monitor config has the actual screen size though. This fixes guest display for anything using the local renderer (non-spice UI, screendump monitor command). Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-id: 20180919103057.9666-1-kraxel@redhat.com
2018-05-07qxl: fix local renderer crashGerd Hoffmann
Make sure we only ask the spice local renderer for display updates in case we have a valid primary surface. Without that spice is confused and throws errors in case a display update request (triggered by screendump for example) happens in parallel to a mode switch and hits the race window where the old primary surface is gone and the new isn't establisted yet. Cc: qemu-stable@nongnu.org Fixes: https://bugzilla.redhat.com//show_bug.cgi?id=1567733 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-id: 20180427115528.345-1-kraxel@redhat.com
2018-01-22Replace all occurances of __FUNCTION__ with __func__Alistair Francis
Replace all occurs of __FUNCTION__ except for the check in checkpatch with the non GCC specific __func__. One line in hcd-musb.c was manually tweaked to pass checkpatch. Signed-off-by: Alistair Francis <alistair.francis@xilinx.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com> Reviewed-by: Juan Quintela <quintela@redhat.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> [THH: Removed hunks related to pxa2xx_mmci.c (fixed already)] Signed-off-by: Thomas Huth <thuth@redhat.com>
2017-09-01qxl: add support for chunked cursors.Gerd Hoffmann
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 20170828123933.30323-3-kraxel@redhat.com
2017-09-01qxl: drop mono cursor supportGerd Hoffmann
The chunk size sanity check in qxl_render_cursor works for SPICE_CURSOR_TYPE_ALPHA cursors only. So support for SPICE_CURSOR_TYPE_MONO cursors must be broken for ages without anyone noticing. Most likely it simply isn't used any more by guest drivers. Drop the dead code. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 20170828123933.30323-2-kraxel@redhat.com
2016-01-29hw/display: Clean up includesPeter Maydell
Clean up includes so that osdep.h is included first and headers which it implies are not included manually. This commit was created with scripts/clean-includes. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1453832250-766-21-git-send-email-peter.maydell@linaro.org
2015-09-11typofixes - v4Veres Lajos
Signed-off-by: Veres Lajos <vlajos@gmail.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2014-12-16spice: use bottom half instead of refresh timer for cursor updatesGerd Hoffmann
Calling directly doesn't work due to the qxl-render code running in spice server thread context. Meanwhile bottom half scheduling is thread-safe though, so we can use that to kick a cursor update in main i/o thread context. Cc: Marc-André Lureau <marcandre.lureau@gmail.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-09-05console: stop using PixelFormatGerd Hoffmann
With this patch the qemu console core stops using PixelFormat and pixman format codes side-by-side, pixman format code is the primary way to specify the DisplaySurface format: * DisplaySurface stops carrying a PixelFormat field. * qemu_create_displaysurface_from() expects a pixman format now. Functions to convert PixelFormat to pixman_format_code_t (and back) exist for those who still use PixelFormat. As PixelFormat allows easy access to masks and shifts it will probably continue to exist. [ xenfb added by Benjamin Herrenschmidt ] Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-09-01qxl-render: add more sanity checksGerd Hoffmann
Damn, the dirty rectangle values are signed integers. So the checks added by commit 788fbf042fc6d5aaeab56757e6dad622ac5f0c21 are not good enough, we also have to make sure they are not negative. [ Note: There must be something broken in spice-server so we get negative values in the first place. Bug opened: https://bugzilla.redhat.com/show_bug.cgi?id=1135372 ] Cc: qemu-stable@nongnu.org Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
2014-06-13qxl-render: add sanity checkGerd Hoffmann
Verify dirty rectangle is completely within the primary surface, just ignore it in case it isn't. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2013-12-07qxl: Add missing trace.h (fix broken build)Stefan Weil
Commit ac86048bcd41129b18702ba63395f222871804de removed trace.h from console.h and ignored the fact that qxl-render.c needs this file (it includes qxl.h which includes console.h which included trace.h). Signed-off-by: Stefan Weil <sw@weilnetz.de> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2013-09-10qxl: fix local rendererGerd Hoffmann
The local spice renderer assumes the primary surface is located at the start of the "ram" bar. This used to be a requirement in qxl hardware revision 1. In revision 2+ this is relaxed. Nevertheless guest drivers continued to use the traditional location, for historical and backward compatibility reasons. The qxl kms driver doesn't though as it depends on qxl revision 4+ anyway. Result is that local rendering is hosed for recent linux guests, you'll get pixel garbage with non-spice ui (gtk, sdl, vnc) and when doing screendumps. Fix that by doing a proper mapping of the guest-specified memory location. https://bugzilla.redhat.com/show_bug.cgi?id=948717 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2013-06-24qxl: fix Coverity scan SIGN_EXTENSION errorGerd Hoffmann
Cc: Markus Armbruster <armbru@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2013-04-08hw: move private headers to hw/ subdirectories.Paolo Bonzini
Many headers are used only in a single directory. These can be kept in hw/. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-04-08hw: move display devices to hw/display/, configure via default-configs/Paolo Bonzini
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>