From d57f252addefa0a66db554038b063fd2331bb269 Mon Sep 17 00:00:00 2001 From: Hou Qiming Date: Mon, 13 May 2019 14:57:29 +0300 Subject: [PATCH 1/3] hw/display/ramfb: fix guest memory un-mapping Pulled back the `qemu_create_displaysurface_guestmem` function to create the display surface so that the guest memory gets properly unmapped. Signed-off-by: HOU Qiming Signed-off-by: Marcel Apfelbaum Message-id: 20190513115731.17588-2-marcel.apfelbaum@gmail.com [rename the new functions and use QEMU coding style] Signed-off-by: Marcel Apfelbaum Signed-off-by: Gerd Hoffmann --- hw/display/ramfb.c | 51 ++++++++++++++++++++++++++++++++++------------ 1 file changed, 38 insertions(+), 13 deletions(-) diff --git a/hw/display/ramfb.c b/hw/display/ramfb.c index 25c8ad7c25..1955b048dd 100644 --- a/hw/display/ramfb.c +++ b/hw/display/ramfb.c @@ -32,33 +32,58 @@ struct RAMFBState { struct RAMFBCfg cfg; }; +static void ramfb_unmap_display_surface(pixman_image_t *image, void *unused) +{ + void *data = pixman_image_get_data(image); + uint32_t size = pixman_image_get_stride(image) * + pixman_image_get_height(image); + cpu_physical_memory_unmap(data, size, 0, 0); +} + +static DisplaySurface *ramfb_create_display_surface(int width, int height, + pixman_format_code_t format, + int linesize, uint64_t addr) +{ + DisplaySurface *surface; + hwaddr size; + void *data; + + if (linesize == 0) { + linesize = width * PIXMAN_FORMAT_BPP(format) / 8; + } + + size = (hwaddr)linesize * height; + data = cpu_physical_memory_map(addr, &size, 0); + if (size != (hwaddr)linesize * height) { + cpu_physical_memory_unmap(data, size, 0, 0); + return NULL; + } + + surface = qemu_create_displaysurface_from(width, height, + format, linesize, data); + pixman_image_set_destroy_function(surface->image, + ramfb_unmap_display_surface, NULL); + + return surface; +} + static void ramfb_fw_cfg_write(void *dev, off_t offset, size_t len) { RAMFBState *s = dev; - void *framebuffer; uint32_t fourcc, format; - hwaddr stride, addr, length; + hwaddr stride, addr; s->width = be32_to_cpu(s->cfg.width); s->height = be32_to_cpu(s->cfg.height); stride = be32_to_cpu(s->cfg.stride); fourcc = be32_to_cpu(s->cfg.fourcc); addr = be64_to_cpu(s->cfg.addr); - length = stride * s->height; format = qemu_drm_format_to_pixman(fourcc); fprintf(stderr, "%s: %dx%d @ 0x%" PRIx64 "\n", __func__, s->width, s->height, addr); - framebuffer = address_space_map(&address_space_memory, - addr, &length, false, - MEMTXATTRS_UNSPECIFIED); - if (!framebuffer || length < stride * s->height) { - s->width = 0; - s->height = 0; - return; - } - s->ds = qemu_create_displaysurface_from(s->width, s->height, - format, stride, framebuffer); + s->ds = ramfb_create_display_surface(s->width, s->height, + format, stride, addr); } void ramfb_display_update(QemuConsole *con, RAMFBState *s) From a9e0cb67b7f4c485755659f9b764c38b5f970de4 Mon Sep 17 00:00:00 2001 From: Hou Qiming Date: Mon, 13 May 2019 14:57:30 +0300 Subject: [PATCH 2/3] hw/display/ramfb: lock guest resolution after it's set Only allow one resolution change per guest boot, which prevents a crash when the guest writes garbage to the configuration space (e.g. when rebooting). Signed-off-by: HOU Qiming Signed-off-by: Marcel Apfelbaum Message-id: 20190513115731.17588-3-marcel.apfelbaum@gmail.com [fixed malformed patch] Signed-off-by: Marcel Apfelbaum Signed-off-by: Gerd Hoffmann --- hw/display/ramfb.c | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/hw/display/ramfb.c b/hw/display/ramfb.c index 1955b048dd..0fe79aa856 100644 --- a/hw/display/ramfb.c +++ b/hw/display/ramfb.c @@ -30,6 +30,7 @@ struct RAMFBState { DisplaySurface *ds; uint32_t width, height; struct RAMFBCfg cfg; + bool locked; }; static void ramfb_unmap_display_surface(pixman_image_t *image, void *unused) @@ -70,18 +71,25 @@ static DisplaySurface *ramfb_create_display_surface(int width, int height, static void ramfb_fw_cfg_write(void *dev, off_t offset, size_t len) { RAMFBState *s = dev; - uint32_t fourcc, format; + uint32_t fourcc, format, width, height; hwaddr stride, addr; - s->width = be32_to_cpu(s->cfg.width); - s->height = be32_to_cpu(s->cfg.height); + width = be32_to_cpu(s->cfg.width); + height = be32_to_cpu(s->cfg.height); stride = be32_to_cpu(s->cfg.stride); fourcc = be32_to_cpu(s->cfg.fourcc); addr = be64_to_cpu(s->cfg.addr); format = qemu_drm_format_to_pixman(fourcc); fprintf(stderr, "%s: %dx%d @ 0x%" PRIx64 "\n", __func__, - s->width, s->height, addr); + width, height, addr); + if (s->locked) { + fprintf(stderr, "%s: resolution locked, change rejected\n", __func__); + return; + } + s->locked = true; + s->width = width; + s->height = height; s->ds = ramfb_create_display_surface(s->width, s->height, format, stride, addr); } @@ -101,6 +109,13 @@ void ramfb_display_update(QemuConsole *con, RAMFBState *s) dpy_gfx_update_full(con); } +static void ramfb_reset(void *opaque) +{ + RAMFBState *s = (RAMFBState *)opaque; + s->locked = false; + memset(&s->cfg, 0, sizeof(s->cfg)); +} + RAMFBState *ramfb_setup(Error **errp) { FWCfgState *fw_cfg = fw_cfg_find(); @@ -113,9 +128,12 @@ RAMFBState *ramfb_setup(Error **errp) s = g_new0(RAMFBState, 1); + s->locked = false; + rom_add_vga("vgabios-ramfb.bin"); fw_cfg_add_file_callback(fw_cfg, "etc/ramfb", NULL, ramfb_fw_cfg_write, s, &s->cfg, sizeof(s->cfg), false); + qemu_register_reset(ramfb_reset, s); return s; } From f79081b4b71b72640bedd40a7cd76f864c8287f1 Mon Sep 17 00:00:00 2001 From: Hou Qiming Date: Mon, 13 May 2019 14:57:31 +0300 Subject: [PATCH 3/3] hw/display/ramfb: initialize fw-config space with xres/ yres If xres / yres were specified in QEMU command line, write them as an initial resolution to the fw-config space on guest reset, which a later BIOS / OVMF patch can take advantage of. Signed-off-by: HOU Qiming Signed-off-by: Marcel Apfelbaum Message-id: 20190513115731.17588-4-marcel.apfelbaum@gmail.com [fixed malformed patch] Signed-off-by: Marcel Apfelbaum Signed-off-by: Gerd Hoffmann --- hw/display/ramfb-standalone.c | 12 +++++++++++- hw/display/ramfb.c | 16 +++++++++++++++- hw/vfio/display.c | 4 ++-- include/hw/display/ramfb.h | 2 +- stubs/ramfb.c | 2 +- 5 files changed, 30 insertions(+), 6 deletions(-) diff --git a/hw/display/ramfb-standalone.c b/hw/display/ramfb-standalone.c index da3229a1f6..6441449e7b 100644 --- a/hw/display/ramfb-standalone.c +++ b/hw/display/ramfb-standalone.c @@ -1,6 +1,7 @@ #include "qemu/osdep.h" #include "qapi/error.h" #include "hw/loader.h" +#include "hw/isa/isa.h" #include "hw/display/ramfb.h" #include "ui/console.h" #include "sysemu/sysemu.h" @@ -11,6 +12,8 @@ typedef struct RAMFBStandaloneState { SysBusDevice parent_obj; QemuConsole *con; RAMFBState *state; + uint32_t xres; + uint32_t yres; } RAMFBStandaloneState; static void display_update_wrapper(void *dev) @@ -33,15 +36,22 @@ static void ramfb_realizefn(DeviceState *dev, Error **errp) RAMFBStandaloneState *ramfb = RAMFB(dev); ramfb->con = graphic_console_init(dev, 0, &wrapper_ops, dev); - ramfb->state = ramfb_setup(errp); + ramfb->state = ramfb_setup(dev, errp); } +static Property ramfb_properties[] = { + DEFINE_PROP_UINT32("xres", RAMFBStandaloneState, xres, 0), + DEFINE_PROP_UINT32("yres", RAMFBStandaloneState, yres, 0), + DEFINE_PROP_END_OF_LIST(), +}; + static void ramfb_class_initfn(ObjectClass *klass, void *data) { DeviceClass *dc = DEVICE_CLASS(klass); set_bit(DEVICE_CATEGORY_DISPLAY, dc->categories); dc->realize = ramfb_realizefn; + dc->props = ramfb_properties; dc->desc = "ram framebuffer standalone device"; dc->user_creatable = true; } diff --git a/hw/display/ramfb.c b/hw/display/ramfb.c index 0fe79aa856..b4eb283ef8 100644 --- a/hw/display/ramfb.c +++ b/hw/display/ramfb.c @@ -12,6 +12,7 @@ */ #include "qemu/osdep.h" #include "qapi/error.h" +#include "qemu/option.h" #include "hw/loader.h" #include "hw/display/ramfb.h" #include "ui/console.h" @@ -29,6 +30,7 @@ struct QEMU_PACKED RAMFBCfg { struct RAMFBState { DisplaySurface *ds; uint32_t width, height; + uint32_t starting_width, starting_height; struct RAMFBCfg cfg; bool locked; }; @@ -114,9 +116,11 @@ static void ramfb_reset(void *opaque) RAMFBState *s = (RAMFBState *)opaque; s->locked = false; memset(&s->cfg, 0, sizeof(s->cfg)); + s->cfg.width = s->starting_width; + s->cfg.height = s->starting_height; } -RAMFBState *ramfb_setup(Error **errp) +RAMFBState *ramfb_setup(DeviceState* dev, Error **errp) { FWCfgState *fw_cfg = fw_cfg_find(); RAMFBState *s; @@ -128,6 +132,16 @@ RAMFBState *ramfb_setup(Error **errp) s = g_new0(RAMFBState, 1); + const char *s_fb_width = qemu_opt_get(dev->opts, "xres"); + const char *s_fb_height = qemu_opt_get(dev->opts, "yres"); + if (s_fb_width) { + s->cfg.width = atoi(s_fb_width); + s->starting_width = s->cfg.width; + } + if (s_fb_height) { + s->cfg.height = atoi(s_fb_height); + s->starting_height = s->cfg.height; + } s->locked = false; rom_add_vga("vgabios-ramfb.bin"); diff --git a/hw/vfio/display.c b/hw/vfio/display.c index a3d9c8f5be..2c2d3e5b71 100644 --- a/hw/vfio/display.c +++ b/hw/vfio/display.c @@ -352,7 +352,7 @@ static int vfio_display_dmabuf_init(VFIOPCIDevice *vdev, Error **errp) &vfio_display_dmabuf_ops, vdev); if (vdev->enable_ramfb) { - vdev->dpy->ramfb = ramfb_setup(errp); + vdev->dpy->ramfb = ramfb_setup(DEVICE(vdev), errp); } vfio_display_edid_init(vdev); return 0; @@ -478,7 +478,7 @@ static int vfio_display_region_init(VFIOPCIDevice *vdev, Error **errp) &vfio_display_region_ops, vdev); if (vdev->enable_ramfb) { - vdev->dpy->ramfb = ramfb_setup(errp); + vdev->dpy->ramfb = ramfb_setup(DEVICE(vdev), errp); } return 0; } diff --git a/include/hw/display/ramfb.h b/include/hw/display/ramfb.h index b33a2c467b..f6c2de93b2 100644 --- a/include/hw/display/ramfb.h +++ b/include/hw/display/ramfb.h @@ -4,7 +4,7 @@ /* ramfb.c */ typedef struct RAMFBState RAMFBState; void ramfb_display_update(QemuConsole *con, RAMFBState *s); -RAMFBState *ramfb_setup(Error **errp); +RAMFBState *ramfb_setup(DeviceState *dev, Error **errp); /* ramfb-standalone.c */ #define TYPE_RAMFB_DEVICE "ramfb" diff --git a/stubs/ramfb.c b/stubs/ramfb.c index 48143f3354..0799093a5d 100644 --- a/stubs/ramfb.c +++ b/stubs/ramfb.c @@ -6,7 +6,7 @@ void ramfb_display_update(QemuConsole *con, RAMFBState *s) { } -RAMFBState *ramfb_setup(Error **errp) +RAMFBState *ramfb_setup(DeviceState* dev, Error **errp) { error_setg(errp, "ramfb support not available"); return NULL;