qemu/hw/display/vmware_vga.c
<<
>>
Prefs
   1/*
   2 * QEMU VMware-SVGA "chipset".
   3 *
   4 * Copyright (c) 2007 Andrzej Zaborowski  <balrog@zabor.org>
   5 *
   6 * Permission is hereby granted, free of charge, to any person obtaining a copy
   7 * of this software and associated documentation files (the "Software"), to deal
   8 * in the Software without restriction, including without limitation the rights
   9 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  10 * copies of the Software, and to permit persons to whom the Software is
  11 * furnished to do so, subject to the following conditions:
  12 *
  13 * The above copyright notice and this permission notice shall be included in
  14 * all copies or substantial portions of the Software.
  15 *
  16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
  19 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  21 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  22 * THE SOFTWARE.
  23 */
  24
  25#include "qemu/osdep.h"
  26#include "qemu/module.h"
  27#include "qemu/units.h"
  28#include "qapi/error.h"
  29#include "hw/loader.h"
  30#include "trace.h"
  31#include "ui/vnc.h"
  32#include "hw/pci/pci.h"
  33#include "hw/qdev-properties.h"
  34#include "migration/vmstate.h"
  35
  36#undef VERBOSE
  37#define HW_RECT_ACCEL
  38#define HW_FILL_ACCEL
  39#define HW_MOUSE_ACCEL
  40
  41#include "vga_int.h"
  42
  43/* See http://vmware-svga.sf.net/ for some documentation on VMWare SVGA */
  44
  45struct vmsvga_state_s {
  46    VGACommonState vga;
  47
  48    int invalidated;
  49    int enable;
  50    int config;
  51    struct {
  52        int id;
  53        int x;
  54        int y;
  55        int on;
  56    } cursor;
  57
  58    int index;
  59    int scratch_size;
  60    uint32_t *scratch;
  61    int new_width;
  62    int new_height;
  63    int new_depth;
  64    uint32_t guest;
  65    uint32_t svgaid;
  66    int syncing;
  67
  68    MemoryRegion fifo_ram;
  69    uint8_t *fifo_ptr;
  70    unsigned int fifo_size;
  71
  72    uint32_t *fifo;
  73    uint32_t fifo_min;
  74    uint32_t fifo_max;
  75    uint32_t fifo_next;
  76    uint32_t fifo_stop;
  77
  78#define REDRAW_FIFO_LEN  512
  79    struct vmsvga_rect_s {
  80        int x, y, w, h;
  81    } redraw_fifo[REDRAW_FIFO_LEN];
  82    int redraw_fifo_first, redraw_fifo_last;
  83};
  84
  85#define TYPE_VMWARE_SVGA "vmware-svga"
  86
  87#define VMWARE_SVGA(obj) \
  88    OBJECT_CHECK(struct pci_vmsvga_state_s, (obj), TYPE_VMWARE_SVGA)
  89
  90struct pci_vmsvga_state_s {
  91    /*< private >*/
  92    PCIDevice parent_obj;
  93    /*< public >*/
  94
  95    struct vmsvga_state_s chip;
  96    MemoryRegion io_bar;
  97};
  98
  99#define SVGA_MAGIC              0x900000UL
 100#define SVGA_MAKE_ID(ver)       (SVGA_MAGIC << 8 | (ver))
 101#define SVGA_ID_0               SVGA_MAKE_ID(0)
 102#define SVGA_ID_1               SVGA_MAKE_ID(1)
 103#define SVGA_ID_2               SVGA_MAKE_ID(2)
 104
 105#define SVGA_LEGACY_BASE_PORT   0x4560
 106#define SVGA_INDEX_PORT         0x0
 107#define SVGA_VALUE_PORT         0x1
 108#define SVGA_BIOS_PORT          0x2
 109
 110#define SVGA_VERSION_2
 111
 112#ifdef SVGA_VERSION_2
 113# define SVGA_ID                SVGA_ID_2
 114# define SVGA_IO_BASE           SVGA_LEGACY_BASE_PORT
 115# define SVGA_IO_MUL            1
 116# define SVGA_FIFO_SIZE         0x10000
 117# define SVGA_PCI_DEVICE_ID     PCI_DEVICE_ID_VMWARE_SVGA2
 118#else
 119# define SVGA_ID                SVGA_ID_1
 120# define SVGA_IO_BASE           SVGA_LEGACY_BASE_PORT
 121# define SVGA_IO_MUL            4
 122# define SVGA_FIFO_SIZE         0x10000
 123# define SVGA_PCI_DEVICE_ID     PCI_DEVICE_ID_VMWARE_SVGA
 124#endif
 125
 126enum {
 127    /* ID 0, 1 and 2 registers */
 128    SVGA_REG_ID = 0,
 129    SVGA_REG_ENABLE = 1,
 130    SVGA_REG_WIDTH = 2,
 131    SVGA_REG_HEIGHT = 3,
 132    SVGA_REG_MAX_WIDTH = 4,
 133    SVGA_REG_MAX_HEIGHT = 5,
 134    SVGA_REG_DEPTH = 6,
 135    SVGA_REG_BITS_PER_PIXEL = 7,        /* Current bpp in the guest */
 136    SVGA_REG_PSEUDOCOLOR = 8,
 137    SVGA_REG_RED_MASK = 9,
 138    SVGA_REG_GREEN_MASK = 10,
 139    SVGA_REG_BLUE_MASK = 11,
 140    SVGA_REG_BYTES_PER_LINE = 12,
 141    SVGA_REG_FB_START = 13,
 142    SVGA_REG_FB_OFFSET = 14,
 143    SVGA_REG_VRAM_SIZE = 15,
 144    SVGA_REG_FB_SIZE = 16,
 145
 146    /* ID 1 and 2 registers */
 147    SVGA_REG_CAPABILITIES = 17,
 148    SVGA_REG_MEM_START = 18,            /* Memory for command FIFO */
 149    SVGA_REG_MEM_SIZE = 19,
 150    SVGA_REG_CONFIG_DONE = 20,          /* Set when memory area configured */
 151    SVGA_REG_SYNC = 21,                 /* Write to force synchronization */
 152    SVGA_REG_BUSY = 22,                 /* Read to check if sync is done */
 153    SVGA_REG_GUEST_ID = 23,             /* Set guest OS identifier */
 154    SVGA_REG_CURSOR_ID = 24,            /* ID of cursor */
 155    SVGA_REG_CURSOR_X = 25,             /* Set cursor X position */
 156    SVGA_REG_CURSOR_Y = 26,             /* Set cursor Y position */
 157    SVGA_REG_CURSOR_ON = 27,            /* Turn cursor on/off */
 158    SVGA_REG_HOST_BITS_PER_PIXEL = 28,  /* Current bpp in the host */
 159    SVGA_REG_SCRATCH_SIZE = 29,         /* Number of scratch registers */
 160    SVGA_REG_MEM_REGS = 30,             /* Number of FIFO registers */
 161    SVGA_REG_NUM_DISPLAYS = 31,         /* Number of guest displays */
 162    SVGA_REG_PITCHLOCK = 32,            /* Fixed pitch for all modes */
 163
 164    SVGA_PALETTE_BASE = 1024,           /* Base of SVGA color map */
 165    SVGA_PALETTE_END  = SVGA_PALETTE_BASE + 767,
 166    SVGA_SCRATCH_BASE = SVGA_PALETTE_BASE + 768,
 167};
 168
 169#define SVGA_CAP_NONE                   0
 170#define SVGA_CAP_RECT_FILL              (1 << 0)
 171#define SVGA_CAP_RECT_COPY              (1 << 1)
 172#define SVGA_CAP_RECT_PAT_FILL          (1 << 2)
 173#define SVGA_CAP_LEGACY_OFFSCREEN       (1 << 3)
 174#define SVGA_CAP_RASTER_OP              (1 << 4)
 175#define SVGA_CAP_CURSOR                 (1 << 5)
 176#define SVGA_CAP_CURSOR_BYPASS          (1 << 6)
 177#define SVGA_CAP_CURSOR_BYPASS_2        (1 << 7)
 178#define SVGA_CAP_8BIT_EMULATION         (1 << 8)
 179#define SVGA_CAP_ALPHA_CURSOR           (1 << 9)
 180#define SVGA_CAP_GLYPH                  (1 << 10)
 181#define SVGA_CAP_GLYPH_CLIPPING         (1 << 11)
 182#define SVGA_CAP_OFFSCREEN_1            (1 << 12)
 183#define SVGA_CAP_ALPHA_BLEND            (1 << 13)
 184#define SVGA_CAP_3D                     (1 << 14)
 185#define SVGA_CAP_EXTENDED_FIFO          (1 << 15)
 186#define SVGA_CAP_MULTIMON               (1 << 16)
 187#define SVGA_CAP_PITCHLOCK              (1 << 17)
 188
 189/*
 190 * FIFO offsets (seen as an array of 32-bit words)
 191 */
 192enum {
 193    /*
 194     * The original defined FIFO offsets
 195     */
 196    SVGA_FIFO_MIN = 0,
 197    SVGA_FIFO_MAX,      /* The distance from MIN to MAX must be at least 10K */
 198    SVGA_FIFO_NEXT,
 199    SVGA_FIFO_STOP,
 200
 201    /*
 202     * Additional offsets added as of SVGA_CAP_EXTENDED_FIFO
 203     */
 204    SVGA_FIFO_CAPABILITIES = 4,
 205    SVGA_FIFO_FLAGS,
 206    SVGA_FIFO_FENCE,
 207    SVGA_FIFO_3D_HWVERSION,
 208    SVGA_FIFO_PITCHLOCK,
 209};
 210
 211#define SVGA_FIFO_CAP_NONE              0
 212#define SVGA_FIFO_CAP_FENCE             (1 << 0)
 213#define SVGA_FIFO_CAP_ACCELFRONT        (1 << 1)
 214#define SVGA_FIFO_CAP_PITCHLOCK         (1 << 2)
 215
 216#define SVGA_FIFO_FLAG_NONE             0
 217#define SVGA_FIFO_FLAG_ACCELFRONT       (1 << 0)
 218
 219/* These values can probably be changed arbitrarily.  */
 220#define SVGA_SCRATCH_SIZE               0x8000
 221#define SVGA_MAX_WIDTH                  ROUND_UP(2360, VNC_DIRTY_PIXELS_PER_BIT)
 222#define SVGA_MAX_HEIGHT                 1770
 223
 224#ifdef VERBOSE
 225# define GUEST_OS_BASE          0x5001
 226static const char *vmsvga_guest_id[] = {
 227    [0x00] = "Dos",
 228    [0x01] = "Windows 3.1",
 229    [0x02] = "Windows 95",
 230    [0x03] = "Windows 98",
 231    [0x04] = "Windows ME",
 232    [0x05] = "Windows NT",
 233    [0x06] = "Windows 2000",
 234    [0x07] = "Linux",
 235    [0x08] = "OS/2",
 236    [0x09] = "an unknown OS",
 237    [0x0a] = "BSD",
 238    [0x0b] = "Whistler",
 239    [0x0c] = "an unknown OS",
 240    [0x0d] = "an unknown OS",
 241    [0x0e] = "an unknown OS",
 242    [0x0f] = "an unknown OS",
 243    [0x10] = "an unknown OS",
 244    [0x11] = "an unknown OS",
 245    [0x12] = "an unknown OS",
 246    [0x13] = "an unknown OS",
 247    [0x14] = "an unknown OS",
 248    [0x15] = "Windows 2003",
 249};
 250#endif
 251
 252enum {
 253    SVGA_CMD_INVALID_CMD = 0,
 254    SVGA_CMD_UPDATE = 1,
 255    SVGA_CMD_RECT_FILL = 2,
 256    SVGA_CMD_RECT_COPY = 3,
 257    SVGA_CMD_DEFINE_BITMAP = 4,
 258    SVGA_CMD_DEFINE_BITMAP_SCANLINE = 5,
 259    SVGA_CMD_DEFINE_PIXMAP = 6,
 260    SVGA_CMD_DEFINE_PIXMAP_SCANLINE = 7,
 261    SVGA_CMD_RECT_BITMAP_FILL = 8,
 262    SVGA_CMD_RECT_PIXMAP_FILL = 9,
 263    SVGA_CMD_RECT_BITMAP_COPY = 10,
 264    SVGA_CMD_RECT_PIXMAP_COPY = 11,
 265    SVGA_CMD_FREE_OBJECT = 12,
 266    SVGA_CMD_RECT_ROP_FILL = 13,
 267    SVGA_CMD_RECT_ROP_COPY = 14,
 268    SVGA_CMD_RECT_ROP_BITMAP_FILL = 15,
 269    SVGA_CMD_RECT_ROP_PIXMAP_FILL = 16,
 270    SVGA_CMD_RECT_ROP_BITMAP_COPY = 17,
 271    SVGA_CMD_RECT_ROP_PIXMAP_COPY = 18,
 272    SVGA_CMD_DEFINE_CURSOR = 19,
 273    SVGA_CMD_DISPLAY_CURSOR = 20,
 274    SVGA_CMD_MOVE_CURSOR = 21,
 275    SVGA_CMD_DEFINE_ALPHA_CURSOR = 22,
 276    SVGA_CMD_DRAW_GLYPH = 23,
 277    SVGA_CMD_DRAW_GLYPH_CLIPPED = 24,
 278    SVGA_CMD_UPDATE_VERBOSE = 25,
 279    SVGA_CMD_SURFACE_FILL = 26,
 280    SVGA_CMD_SURFACE_COPY = 27,
 281    SVGA_CMD_SURFACE_ALPHA_BLEND = 28,
 282    SVGA_CMD_FRONT_ROP_FILL = 29,
 283    SVGA_CMD_FENCE = 30,
 284};
 285
 286/* Legal values for the SVGA_REG_CURSOR_ON register in cursor bypass mode */
 287enum {
 288    SVGA_CURSOR_ON_HIDE = 0,
 289    SVGA_CURSOR_ON_SHOW = 1,
 290    SVGA_CURSOR_ON_REMOVE_FROM_FB = 2,
 291    SVGA_CURSOR_ON_RESTORE_TO_FB = 3,
 292};
 293
 294static inline bool vmsvga_verify_rect(DisplaySurface *surface,
 295                                      const char *name,
 296                                      int x, int y, int w, int h)
 297{
 298    if (x < 0) {
 299        fprintf(stderr, "%s: x was < 0 (%d)\n", name, x);
 300        return false;
 301    }
 302    if (x > SVGA_MAX_WIDTH) {
 303        fprintf(stderr, "%s: x was > %d (%d)\n", name, SVGA_MAX_WIDTH, x);
 304        return false;
 305    }
 306    if (w < 0) {
 307        fprintf(stderr, "%s: w was < 0 (%d)\n", name, w);
 308        return false;
 309    }
 310    if (w > SVGA_MAX_WIDTH) {
 311        fprintf(stderr, "%s: w was > %d (%d)\n", name, SVGA_MAX_WIDTH, w);
 312        return false;
 313    }
 314    if (x + w > surface_width(surface)) {
 315        fprintf(stderr, "%s: width was > %d (x: %d, w: %d)\n",
 316                name, surface_width(surface), x, w);
 317        return false;
 318    }
 319
 320    if (y < 0) {
 321        fprintf(stderr, "%s: y was < 0 (%d)\n", name, y);
 322        return false;
 323    }
 324    if (y > SVGA_MAX_HEIGHT) {
 325        fprintf(stderr, "%s: y was > %d (%d)\n", name, SVGA_MAX_HEIGHT, y);
 326        return false;
 327    }
 328    if (h < 0) {
 329        fprintf(stderr, "%s: h was < 0 (%d)\n", name, h);
 330        return false;
 331    }
 332    if (h > SVGA_MAX_HEIGHT) {
 333        fprintf(stderr, "%s: h was > %d (%d)\n", name, SVGA_MAX_HEIGHT, h);
 334        return false;
 335    }
 336    if (y + h > surface_height(surface)) {
 337        fprintf(stderr, "%s: update height > %d (y: %d, h: %d)\n",
 338                name, surface_height(surface), y, h);
 339        return false;
 340    }
 341
 342    return true;
 343}
 344
 345static inline void vmsvga_update_rect(struct vmsvga_state_s *s,
 346                                      int x, int y, int w, int h)
 347{
 348    DisplaySurface *surface = qemu_console_surface(s->vga.con);
 349    int line;
 350    int bypl;
 351    int width;
 352    int start;
 353    uint8_t *src;
 354    uint8_t *dst;
 355
 356    if (!vmsvga_verify_rect(surface, __func__, x, y, w, h)) {
 357        /* go for a fullscreen update as fallback */
 358        x = 0;
 359        y = 0;
 360        w = surface_width(surface);
 361        h = surface_height(surface);
 362    }
 363
 364    bypl = surface_stride(surface);
 365    width = surface_bytes_per_pixel(surface) * w;
 366    start = surface_bytes_per_pixel(surface) * x + bypl * y;
 367    src = s->vga.vram_ptr + start;
 368    dst = surface_data(surface) + start;
 369
 370    for (line = h; line > 0; line--, src += bypl, dst += bypl) {
 371        memcpy(dst, src, width);
 372    }
 373    dpy_gfx_update(s->vga.con, x, y, w, h);
 374}
 375
 376static inline void vmsvga_update_rect_delayed(struct vmsvga_state_s *s,
 377                int x, int y, int w, int h)
 378{
 379    struct vmsvga_rect_s *rect = &s->redraw_fifo[s->redraw_fifo_last++];
 380
 381    s->redraw_fifo_last &= REDRAW_FIFO_LEN - 1;
 382    rect->x = x;
 383    rect->y = y;
 384    rect->w = w;
 385    rect->h = h;
 386}
 387
 388static inline void vmsvga_update_rect_flush(struct vmsvga_state_s *s)
 389{
 390    struct vmsvga_rect_s *rect;
 391
 392    if (s->invalidated) {
 393        s->redraw_fifo_first = s->redraw_fifo_last;
 394        return;
 395    }
 396    /* Overlapping region updates can be optimised out here - if someone
 397     * knows a smart algorithm to do that, please share.  */
 398    while (s->redraw_fifo_first != s->redraw_fifo_last) {
 399        rect = &s->redraw_fifo[s->redraw_fifo_first++];
 400        s->redraw_fifo_first &= REDRAW_FIFO_LEN - 1;
 401        vmsvga_update_rect(s, rect->x, rect->y, rect->w, rect->h);
 402    }
 403}
 404
 405#ifdef HW_RECT_ACCEL
 406static inline int vmsvga_copy_rect(struct vmsvga_state_s *s,
 407                int x0, int y0, int x1, int y1, int w, int h)
 408{
 409    DisplaySurface *surface = qemu_console_surface(s->vga.con);
 410    uint8_t *vram = s->vga.vram_ptr;
 411    int bypl = surface_stride(surface);
 412    int bypp = surface_bytes_per_pixel(surface);
 413    int width = bypp * w;
 414    int line = h;
 415    uint8_t *ptr[2];
 416
 417    if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/src", x0, y0, w, h)) {
 418        return -1;
 419    }
 420    if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/dst", x1, y1, w, h)) {
 421        return -1;
 422    }
 423
 424    if (y1 > y0) {
 425        ptr[0] = vram + bypp * x0 + bypl * (y0 + h - 1);
 426        ptr[1] = vram + bypp * x1 + bypl * (y1 + h - 1);
 427        for (; line > 0; line --, ptr[0] -= bypl, ptr[1] -= bypl) {
 428            memmove(ptr[1], ptr[0], width);
 429        }
 430    } else {
 431        ptr[0] = vram + bypp * x0 + bypl * y0;
 432        ptr[1] = vram + bypp * x1 + bypl * y1;
 433        for (; line > 0; line --, ptr[0] += bypl, ptr[1] += bypl) {
 434            memmove(ptr[1], ptr[0], width);
 435        }
 436    }
 437
 438    vmsvga_update_rect_delayed(s, x1, y1, w, h);
 439    return 0;
 440}
 441#endif
 442
 443#ifdef HW_FILL_ACCEL
 444static inline int vmsvga_fill_rect(struct vmsvga_state_s *s,
 445                uint32_t c, int x, int y, int w, int h)
 446{
 447    DisplaySurface *surface = qemu_console_surface(s->vga.con);
 448    int bypl = surface_stride(surface);
 449    int width = surface_bytes_per_pixel(surface) * w;
 450    int line = h;
 451    int column;
 452    uint8_t *fst;
 453    uint8_t *dst;
 454    uint8_t *src;
 455    uint8_t col[4];
 456
 457    if (!vmsvga_verify_rect(surface, __func__, x, y, w, h)) {
 458        return -1;
 459    }
 460
 461    col[0] = c;
 462    col[1] = c >> 8;
 463    col[2] = c >> 16;
 464    col[3] = c >> 24;
 465
 466    fst = s->vga.vram_ptr + surface_bytes_per_pixel(surface) * x + bypl * y;
 467
 468    if (line--) {
 469        dst = fst;
 470        src = col;
 471        for (column = width; column > 0; column--) {
 472            *(dst++) = *(src++);
 473            if (src - col == surface_bytes_per_pixel(surface)) {
 474                src = col;
 475            }
 476        }
 477        dst = fst;
 478        for (; line > 0; line--) {
 479            dst += bypl;
 480            memcpy(dst, fst, width);
 481        }
 482    }
 483
 484    vmsvga_update_rect_delayed(s, x, y, w, h);
 485    return 0;
 486}
 487#endif
 488
 489struct vmsvga_cursor_definition_s {
 490    uint32_t width;
 491    uint32_t height;
 492    int id;
 493    uint32_t bpp;
 494    int hot_x;
 495    int hot_y;
 496    uint32_t mask[1024];
 497    uint32_t image[4096];
 498};
 499
 500#define SVGA_BITMAP_SIZE(w, h)          ((((w) + 31) >> 5) * (h))
 501#define SVGA_PIXMAP_SIZE(w, h, bpp)     (((((w) * (bpp)) + 31) >> 5) * (h))
 502
 503#ifdef HW_MOUSE_ACCEL
 504static inline void vmsvga_cursor_define(struct vmsvga_state_s *s,
 505                struct vmsvga_cursor_definition_s *c)
 506{
 507    QEMUCursor *qc;
 508    int i, pixels;
 509
 510    qc = cursor_alloc(c->width, c->height);
 511    qc->hot_x = c->hot_x;
 512    qc->hot_y = c->hot_y;
 513    switch (c->bpp) {
 514    case 1:
 515        cursor_set_mono(qc, 0xffffff, 0x000000, (void *)c->image,
 516                        1, (void *)c->mask);
 517#ifdef DEBUG
 518        cursor_print_ascii_art(qc, "vmware/mono");
 519#endif
 520        break;
 521    case 32:
 522        /* fill alpha channel from mask, set color to zero */
 523        cursor_set_mono(qc, 0x000000, 0x000000, (void *)c->mask,
 524                        1, (void *)c->mask);
 525        /* add in rgb values */
 526        pixels = c->width * c->height;
 527        for (i = 0; i < pixels; i++) {
 528            qc->data[i] |= c->image[i] & 0xffffff;
 529        }
 530#ifdef DEBUG
 531        cursor_print_ascii_art(qc, "vmware/32bit");
 532#endif
 533        break;
 534    default:
 535        fprintf(stderr, "%s: unhandled bpp %d, using fallback cursor\n",
 536                __func__, c->bpp);
 537        cursor_put(qc);
 538        qc = cursor_builtin_left_ptr();
 539    }
 540
 541    dpy_cursor_define(s->vga.con, qc);
 542    cursor_put(qc);
 543}
 544#endif
 545
 546static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
 547{
 548    int num;
 549
 550    if (!s->config || !s->enable) {
 551        return 0;
 552    }
 553
 554    s->fifo_min  = le32_to_cpu(s->fifo[SVGA_FIFO_MIN]);
 555    s->fifo_max  = le32_to_cpu(s->fifo[SVGA_FIFO_MAX]);
 556    s->fifo_next = le32_to_cpu(s->fifo[SVGA_FIFO_NEXT]);
 557    s->fifo_stop = le32_to_cpu(s->fifo[SVGA_FIFO_STOP]);
 558
 559    /* Check range and alignment.  */
 560    if ((s->fifo_min | s->fifo_max | s->fifo_next | s->fifo_stop) & 3) {
 561        return 0;
 562    }
 563    if (s->fifo_min < sizeof(uint32_t) * 4) {
 564        return 0;
 565    }
 566    if (s->fifo_max > SVGA_FIFO_SIZE ||
 567        s->fifo_min >= SVGA_FIFO_SIZE ||
 568        s->fifo_stop >= SVGA_FIFO_SIZE ||
 569        s->fifo_next >= SVGA_FIFO_SIZE) {
 570        return 0;
 571    }
 572    if (s->fifo_max < s->fifo_min + 10 * KiB) {
 573        return 0;
 574    }
 575
 576    num = s->fifo_next - s->fifo_stop;
 577    if (num < 0) {
 578        num += s->fifo_max - s->fifo_min;
 579    }
 580    return num >> 2;
 581}
 582
 583static inline uint32_t vmsvga_fifo_read_raw(struct vmsvga_state_s *s)
 584{
 585    uint32_t cmd = s->fifo[s->fifo_stop >> 2];
 586
 587    s->fifo_stop += 4;
 588    if (s->fifo_stop >= s->fifo_max) {
 589        s->fifo_stop = s->fifo_min;
 590    }
 591    s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop);
 592    return cmd;
 593}
 594
 595static inline uint32_t vmsvga_fifo_read(struct vmsvga_state_s *s)
 596{
 597    return le32_to_cpu(vmsvga_fifo_read_raw(s));
 598}
 599
 600static void vmsvga_fifo_run(struct vmsvga_state_s *s)
 601{
 602    uint32_t cmd, colour;
 603    int args, len, maxloop = 1024;
 604    int x, y, dx, dy, width, height;
 605    struct vmsvga_cursor_definition_s cursor;
 606    uint32_t cmd_start;
 607
 608    len = vmsvga_fifo_length(s);
 609    while (len > 0 && --maxloop > 0) {
 610        /* May need to go back to the start of the command if incomplete */
 611        cmd_start = s->fifo_stop;
 612
 613        switch (cmd = vmsvga_fifo_read(s)) {
 614        case SVGA_CMD_UPDATE:
 615        case SVGA_CMD_UPDATE_VERBOSE:
 616            len -= 5;
 617            if (len < 0) {
 618                goto rewind;
 619            }
 620
 621            x = vmsvga_fifo_read(s);
 622            y = vmsvga_fifo_read(s);
 623            width = vmsvga_fifo_read(s);
 624            height = vmsvga_fifo_read(s);
 625            vmsvga_update_rect_delayed(s, x, y, width, height);
 626            break;
 627
 628        case SVGA_CMD_RECT_FILL:
 629            len -= 6;
 630            if (len < 0) {
 631                goto rewind;
 632            }
 633
 634            colour = vmsvga_fifo_read(s);
 635            x = vmsvga_fifo_read(s);
 636            y = vmsvga_fifo_read(s);
 637            width = vmsvga_fifo_read(s);
 638            height = vmsvga_fifo_read(s);
 639#ifdef HW_FILL_ACCEL
 640            if (vmsvga_fill_rect(s, colour, x, y, width, height) == 0) {
 641                break;
 642            }
 643#endif
 644            args = 0;
 645            goto badcmd;
 646
 647        case SVGA_CMD_RECT_COPY:
 648            len -= 7;
 649            if (len < 0) {
 650                goto rewind;
 651            }
 652
 653            x = vmsvga_fifo_read(s);
 654            y = vmsvga_fifo_read(s);
 655            dx = vmsvga_fifo_read(s);
 656            dy = vmsvga_fifo_read(s);
 657            width = vmsvga_fifo_read(s);
 658            height = vmsvga_fifo_read(s);
 659#ifdef HW_RECT_ACCEL
 660            if (vmsvga_copy_rect(s, x, y, dx, dy, width, height) == 0) {
 661                break;
 662            }
 663#endif
 664            args = 0;
 665            goto badcmd;
 666
 667        case SVGA_CMD_DEFINE_CURSOR:
 668            len -= 8;
 669            if (len < 0) {
 670                goto rewind;
 671            }
 672
 673            cursor.id = vmsvga_fifo_read(s);
 674            cursor.hot_x = vmsvga_fifo_read(s);
 675            cursor.hot_y = vmsvga_fifo_read(s);
 676            cursor.width = x = vmsvga_fifo_read(s);
 677            cursor.height = y = vmsvga_fifo_read(s);
 678            vmsvga_fifo_read(s);
 679            cursor.bpp = vmsvga_fifo_read(s);
 680
 681            args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
 682            if (cursor.width > 256
 683                || cursor.height > 256
 684                || cursor.bpp > 32
 685                || SVGA_BITMAP_SIZE(x, y) > ARRAY_SIZE(cursor.mask)
 686                || SVGA_PIXMAP_SIZE(x, y, cursor.bpp)
 687                    > ARRAY_SIZE(cursor.image)) {
 688                    goto badcmd;
 689            }
 690
 691            len -= args;
 692            if (len < 0) {
 693                goto rewind;
 694            }
 695
 696            for (args = 0; args < SVGA_BITMAP_SIZE(x, y); args++) {
 697                cursor.mask[args] = vmsvga_fifo_read_raw(s);
 698            }
 699            for (args = 0; args < SVGA_PIXMAP_SIZE(x, y, cursor.bpp); args++) {
 700                cursor.image[args] = vmsvga_fifo_read_raw(s);
 701            }
 702#ifdef HW_MOUSE_ACCEL
 703            vmsvga_cursor_define(s, &cursor);
 704            break;
 705#else
 706            args = 0;
 707            goto badcmd;
 708#endif
 709
 710        /*
 711         * Other commands that we at least know the number of arguments
 712         * for so we can avoid FIFO desync if driver uses them illegally.
 713         */
 714        case SVGA_CMD_DEFINE_ALPHA_CURSOR:
 715            len -= 6;
 716            if (len < 0) {
 717                goto rewind;
 718            }
 719            vmsvga_fifo_read(s);
 720            vmsvga_fifo_read(s);
 721            vmsvga_fifo_read(s);
 722            x = vmsvga_fifo_read(s);
 723            y = vmsvga_fifo_read(s);
 724            args = x * y;
 725            goto badcmd;
 726        case SVGA_CMD_RECT_ROP_FILL:
 727            args = 6;
 728            goto badcmd;
 729        case SVGA_CMD_RECT_ROP_COPY:
 730            args = 7;
 731            goto badcmd;
 732        case SVGA_CMD_DRAW_GLYPH_CLIPPED:
 733            len -= 4;
 734            if (len < 0) {
 735                goto rewind;
 736            }
 737            vmsvga_fifo_read(s);
 738            vmsvga_fifo_read(s);
 739            args = 7 + (vmsvga_fifo_read(s) >> 2);
 740            goto badcmd;
 741        case SVGA_CMD_SURFACE_ALPHA_BLEND:
 742            args = 12;
 743            goto badcmd;
 744
 745        /*
 746         * Other commands that are not listed as depending on any
 747         * CAPABILITIES bits, but are not described in the README either.
 748         */
 749        case SVGA_CMD_SURFACE_FILL:
 750        case SVGA_CMD_SURFACE_COPY:
 751        case SVGA_CMD_FRONT_ROP_FILL:
 752        case SVGA_CMD_FENCE:
 753        case SVGA_CMD_INVALID_CMD:
 754            break; /* Nop */
 755
 756        default:
 757            args = 0;
 758        badcmd:
 759            len -= args;
 760            if (len < 0) {
 761                goto rewind;
 762            }
 763            while (args--) {
 764                vmsvga_fifo_read(s);
 765            }
 766            printf("%s: Unknown command 0x%02x in SVGA command FIFO\n",
 767                   __func__, cmd);
 768            break;
 769
 770        rewind:
 771            s->fifo_stop = cmd_start;
 772            s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop);
 773            break;
 774        }
 775    }
 776
 777    s->syncing = 0;
 778}
 779
 780static uint32_t vmsvga_index_read(void *opaque, uint32_t address)
 781{
 782    struct vmsvga_state_s *s = opaque;
 783
 784    return s->index;
 785}
 786
 787static void vmsvga_index_write(void *opaque, uint32_t address, uint32_t index)
 788{
 789    struct vmsvga_state_s *s = opaque;
 790
 791    s->index = index;
 792}
 793
 794static uint32_t vmsvga_value_read(void *opaque, uint32_t address)
 795{
 796    uint32_t caps;
 797    struct vmsvga_state_s *s = opaque;
 798    DisplaySurface *surface = qemu_console_surface(s->vga.con);
 799    PixelFormat pf;
 800    uint32_t ret;
 801
 802    switch (s->index) {
 803    case SVGA_REG_ID:
 804        ret = s->svgaid;
 805        break;
 806
 807    case SVGA_REG_ENABLE:
 808        ret = s->enable;
 809        break;
 810
 811    case SVGA_REG_WIDTH:
 812        ret = s->new_width ? s->new_width : surface_width(surface);
 813        break;
 814
 815    case SVGA_REG_HEIGHT:
 816        ret = s->new_height ? s->new_height : surface_height(surface);
 817        break;
 818
 819    case SVGA_REG_MAX_WIDTH:
 820        ret = SVGA_MAX_WIDTH;
 821        break;
 822
 823    case SVGA_REG_MAX_HEIGHT:
 824        ret = SVGA_MAX_HEIGHT;
 825        break;
 826
 827    case SVGA_REG_DEPTH:
 828        ret = (s->new_depth == 32) ? 24 : s->new_depth;
 829        break;
 830
 831    case SVGA_REG_BITS_PER_PIXEL:
 832    case SVGA_REG_HOST_BITS_PER_PIXEL:
 833        ret = s->new_depth;
 834        break;
 835
 836    case SVGA_REG_PSEUDOCOLOR:
 837        ret = 0x0;
 838        break;
 839
 840    case SVGA_REG_RED_MASK:
 841        pf = qemu_default_pixelformat(s->new_depth);
 842        ret = pf.rmask;
 843        break;
 844
 845    case SVGA_REG_GREEN_MASK:
 846        pf = qemu_default_pixelformat(s->new_depth);
 847        ret = pf.gmask;
 848        break;
 849
 850    case SVGA_REG_BLUE_MASK:
 851        pf = qemu_default_pixelformat(s->new_depth);
 852        ret = pf.bmask;
 853        break;
 854
 855    case SVGA_REG_BYTES_PER_LINE:
 856        if (s->new_width) {
 857            ret = (s->new_depth * s->new_width) / 8;
 858        } else {
 859            ret = surface_stride(surface);
 860        }
 861        break;
 862
 863    case SVGA_REG_FB_START: {
 864        struct pci_vmsvga_state_s *pci_vmsvga
 865            = container_of(s, struct pci_vmsvga_state_s, chip);
 866        ret = pci_get_bar_addr(PCI_DEVICE(pci_vmsvga), 1);
 867        break;
 868    }
 869
 870    case SVGA_REG_FB_OFFSET:
 871        ret = 0x0;
 872        break;
 873
 874    case SVGA_REG_VRAM_SIZE:
 875        ret = s->vga.vram_size; /* No physical VRAM besides the framebuffer */
 876        break;
 877
 878    case SVGA_REG_FB_SIZE:
 879        ret = s->vga.vram_size;
 880        break;
 881
 882    case SVGA_REG_CAPABILITIES:
 883        caps = SVGA_CAP_NONE;
 884#ifdef HW_RECT_ACCEL
 885        caps |= SVGA_CAP_RECT_COPY;
 886#endif
 887#ifdef HW_FILL_ACCEL
 888        caps |= SVGA_CAP_RECT_FILL;
 889#endif
 890#ifdef HW_MOUSE_ACCEL
 891        if (dpy_cursor_define_supported(s->vga.con)) {
 892            caps |= SVGA_CAP_CURSOR | SVGA_CAP_CURSOR_BYPASS_2 |
 893                    SVGA_CAP_CURSOR_BYPASS;
 894        }
 895#endif
 896        ret = caps;
 897        break;
 898
 899    case SVGA_REG_MEM_START: {
 900        struct pci_vmsvga_state_s *pci_vmsvga
 901            = container_of(s, struct pci_vmsvga_state_s, chip);
 902        ret = pci_get_bar_addr(PCI_DEVICE(pci_vmsvga), 2);
 903        break;
 904    }
 905
 906    case SVGA_REG_MEM_SIZE:
 907        ret = s->fifo_size;
 908        break;
 909
 910    case SVGA_REG_CONFIG_DONE:
 911        ret = s->config;
 912        break;
 913
 914    case SVGA_REG_SYNC:
 915    case SVGA_REG_BUSY:
 916        ret = s->syncing;
 917        break;
 918
 919    case SVGA_REG_GUEST_ID:
 920        ret = s->guest;
 921        break;
 922
 923    case SVGA_REG_CURSOR_ID:
 924        ret = s->cursor.id;
 925        break;
 926
 927    case SVGA_REG_CURSOR_X:
 928        ret = s->cursor.x;
 929        break;
 930
 931    case SVGA_REG_CURSOR_Y:
 932        ret = s->cursor.y;
 933        break;
 934
 935    case SVGA_REG_CURSOR_ON:
 936        ret = s->cursor.on;
 937        break;
 938
 939    case SVGA_REG_SCRATCH_SIZE:
 940        ret = s->scratch_size;
 941        break;
 942
 943    case SVGA_REG_MEM_REGS:
 944    case SVGA_REG_NUM_DISPLAYS:
 945    case SVGA_REG_PITCHLOCK:
 946    case SVGA_PALETTE_BASE ... SVGA_PALETTE_END:
 947        ret = 0;
 948        break;
 949
 950    default:
 951        if (s->index >= SVGA_SCRATCH_BASE &&
 952            s->index < SVGA_SCRATCH_BASE + s->scratch_size) {
 953            ret = s->scratch[s->index - SVGA_SCRATCH_BASE];
 954            break;
 955        }
 956        printf("%s: Bad register %02x\n", __func__, s->index);
 957        ret = 0;
 958        break;
 959    }
 960
 961    if (s->index >= SVGA_SCRATCH_BASE) {
 962        trace_vmware_scratch_read(s->index, ret);
 963    } else if (s->index >= SVGA_PALETTE_BASE) {
 964        trace_vmware_palette_read(s->index, ret);
 965    } else {
 966        trace_vmware_value_read(s->index, ret);
 967    }
 968    return ret;
 969}
 970
 971static void vmsvga_value_write(void *opaque, uint32_t address, uint32_t value)
 972{
 973    struct vmsvga_state_s *s = opaque;
 974
 975    if (s->index >= SVGA_SCRATCH_BASE) {
 976        trace_vmware_scratch_write(s->index, value);
 977    } else if (s->index >= SVGA_PALETTE_BASE) {
 978        trace_vmware_palette_write(s->index, value);
 979    } else {
 980        trace_vmware_value_write(s->index, value);
 981    }
 982    switch (s->index) {
 983    case SVGA_REG_ID:
 984        if (value == SVGA_ID_2 || value == SVGA_ID_1 || value == SVGA_ID_0) {
 985            s->svgaid = value;
 986        }
 987        break;
 988
 989    case SVGA_REG_ENABLE:
 990        s->enable = !!value;
 991        s->invalidated = 1;
 992        s->vga.hw_ops->invalidate(&s->vga);
 993        if (s->enable && s->config) {
 994            vga_dirty_log_stop(&s->vga);
 995        } else {
 996            vga_dirty_log_start(&s->vga);
 997        }
 998        break;
 999
1000    case SVGA_REG_WIDTH:
1001        if (value <= SVGA_MAX_WIDTH) {
1002            s->new_width = value;
1003            s->invalidated = 1;
1004        } else {
1005            printf("%s: Bad width: %i\n", __func__, value);
1006        }
1007        break;
1008
1009    case SVGA_REG_HEIGHT:
1010        if (value <= SVGA_MAX_HEIGHT) {
1011            s->new_height = value;
1012            s->invalidated = 1;
1013        } else {
1014            printf("%s: Bad height: %i\n", __func__, value);
1015        }
1016        break;
1017
1018    case SVGA_REG_BITS_PER_PIXEL:
1019        if (value != 32) {
1020            printf("%s: Bad bits per pixel: %i bits\n", __func__, value);
1021            s->config = 0;
1022            s->invalidated = 1;
1023        }
1024        break;
1025
1026    case SVGA_REG_CONFIG_DONE:
1027        if (value) {
1028            s->fifo = (uint32_t *) s->fifo_ptr;
1029            vga_dirty_log_stop(&s->vga);
1030        }
1031        s->config = !!value;
1032        break;
1033
1034    case SVGA_REG_SYNC:
1035        s->syncing = 1;
1036        vmsvga_fifo_run(s); /* Or should we just wait for update_display? */
1037        break;
1038
1039    case SVGA_REG_GUEST_ID:
1040        s->guest = value;
1041#ifdef VERBOSE
1042        if (value >= GUEST_OS_BASE && value < GUEST_OS_BASE +
1043            ARRAY_SIZE(vmsvga_guest_id)) {
1044            printf("%s: guest runs %s.\n", __func__,
1045                   vmsvga_guest_id[value - GUEST_OS_BASE]);
1046        }
1047#endif
1048        break;
1049
1050    case SVGA_REG_CURSOR_ID:
1051        s->cursor.id = value;
1052        break;
1053
1054    case SVGA_REG_CURSOR_X:
1055        s->cursor.x = value;
1056        break;
1057
1058    case SVGA_REG_CURSOR_Y:
1059        s->cursor.y = value;
1060        break;
1061
1062    case SVGA_REG_CURSOR_ON:
1063        s->cursor.on |= (value == SVGA_CURSOR_ON_SHOW);
1064        s->cursor.on &= (value != SVGA_CURSOR_ON_HIDE);
1065#ifdef HW_MOUSE_ACCEL
1066        if (value <= SVGA_CURSOR_ON_SHOW) {
1067            dpy_mouse_set(s->vga.con, s->cursor.x, s->cursor.y, s->cursor.on);
1068        }
1069#endif
1070        break;
1071
1072    case SVGA_REG_DEPTH:
1073    case SVGA_REG_MEM_REGS:
1074    case SVGA_REG_NUM_DISPLAYS:
1075    case SVGA_REG_PITCHLOCK:
1076    case SVGA_PALETTE_BASE ... SVGA_PALETTE_END:
1077        break;
1078
1079    default:
1080        if (s->index >= SVGA_SCRATCH_BASE &&
1081                s->index < SVGA_SCRATCH_BASE + s->scratch_size) {
1082            s->scratch[s->index - SVGA_SCRATCH_BASE] = value;
1083            break;
1084        }
1085        printf("%s: Bad register %02x\n", __func__, s->index);
1086    }
1087}
1088
1089static uint32_t vmsvga_bios_read(void *opaque, uint32_t address)
1090{
1091    printf("%s: what are we supposed to return?\n", __func__);
1092    return 0xcafe;
1093}
1094
1095static void vmsvga_bios_write(void *opaque, uint32_t address, uint32_t data)
1096{
1097    printf("%s: what are we supposed to do with (%08x)?\n", __func__, data);
1098}
1099
1100static inline void vmsvga_check_size(struct vmsvga_state_s *s)
1101{
1102    DisplaySurface *surface = qemu_console_surface(s->vga.con);
1103
1104    if (s->new_width != surface_width(surface) ||
1105        s->new_height != surface_height(surface) ||
1106        s->new_depth != surface_bits_per_pixel(surface)) {
1107        int stride = (s->new_depth * s->new_width) / 8;
1108        pixman_format_code_t format =
1109            qemu_default_pixman_format(s->new_depth, true);
1110        trace_vmware_setmode(s->new_width, s->new_height, s->new_depth);
1111        surface = qemu_create_displaysurface_from(s->new_width, s->new_height,
1112                                                  format, stride,
1113                                                  s->vga.vram_ptr);
1114        dpy_gfx_replace_surface(s->vga.con, surface);
1115        s->invalidated = 1;
1116    }
1117}
1118
1119static void vmsvga_update_display(void *opaque)
1120{
1121    struct vmsvga_state_s *s = opaque;
1122
1123    if (!s->enable || !s->config) {
1124        /* in standard vga mode */
1125        s->vga.hw_ops->gfx_update(&s->vga);
1126        return;
1127    }
1128
1129    vmsvga_check_size(s);
1130
1131    vmsvga_fifo_run(s);
1132    vmsvga_update_rect_flush(s);
1133
1134    if (s->invalidated) {
1135        s->invalidated = 0;
1136        dpy_gfx_update_full(s->vga.con);
1137    }
1138}
1139
1140static void vmsvga_reset(DeviceState *dev)
1141{
1142    struct pci_vmsvga_state_s *pci = VMWARE_SVGA(dev);
1143    struct vmsvga_state_s *s = &pci->chip;
1144
1145    s->index = 0;
1146    s->enable = 0;
1147    s->config = 0;
1148    s->svgaid = SVGA_ID;
1149    s->cursor.on = 0;
1150    s->redraw_fifo_first = 0;
1151    s->redraw_fifo_last = 0;
1152    s->syncing = 0;
1153
1154    vga_dirty_log_start(&s->vga);
1155}
1156
1157static void vmsvga_invalidate_display(void *opaque)
1158{
1159    struct vmsvga_state_s *s = opaque;
1160    if (!s->enable) {
1161        s->vga.hw_ops->invalidate(&s->vga);
1162        return;
1163    }
1164
1165    s->invalidated = 1;
1166}
1167
1168static void vmsvga_text_update(void *opaque, console_ch_t *chardata)
1169{
1170    struct vmsvga_state_s *s = opaque;
1171
1172    if (s->vga.hw_ops->text_update) {
1173        s->vga.hw_ops->text_update(&s->vga, chardata);
1174    }
1175}
1176
1177static int vmsvga_post_load(void *opaque, int version_id)
1178{
1179    struct vmsvga_state_s *s = opaque;
1180
1181    s->invalidated = 1;
1182    if (s->config) {
1183        s->fifo = (uint32_t *) s->fifo_ptr;
1184    }
1185    return 0;
1186}
1187
1188static const VMStateDescription vmstate_vmware_vga_internal = {
1189    .name = "vmware_vga_internal",
1190    .version_id = 0,
1191    .minimum_version_id = 0,
1192    .post_load = vmsvga_post_load,
1193    .fields = (VMStateField[]) {
1194        VMSTATE_INT32_EQUAL(new_depth, struct vmsvga_state_s, NULL),
1195        VMSTATE_INT32(enable, struct vmsvga_state_s),
1196        VMSTATE_INT32(config, struct vmsvga_state_s),
1197        VMSTATE_INT32(cursor.id, struct vmsvga_state_s),
1198        VMSTATE_INT32(cursor.x, struct vmsvga_state_s),
1199        VMSTATE_INT32(cursor.y, struct vmsvga_state_s),
1200        VMSTATE_INT32(cursor.on, struct vmsvga_state_s),
1201        VMSTATE_INT32(index, struct vmsvga_state_s),
1202        VMSTATE_VARRAY_INT32(scratch, struct vmsvga_state_s,
1203                             scratch_size, 0, vmstate_info_uint32, uint32_t),
1204        VMSTATE_INT32(new_width, struct vmsvga_state_s),
1205        VMSTATE_INT32(new_height, struct vmsvga_state_s),
1206        VMSTATE_UINT32(guest, struct vmsvga_state_s),
1207        VMSTATE_UINT32(svgaid, struct vmsvga_state_s),
1208        VMSTATE_INT32(syncing, struct vmsvga_state_s),
1209        VMSTATE_UNUSED(4), /* was fb_size */
1210        VMSTATE_END_OF_LIST()
1211    }
1212};
1213
1214static const VMStateDescription vmstate_vmware_vga = {
1215    .name = "vmware_vga",
1216    .version_id = 0,
1217    .minimum_version_id = 0,
1218    .fields = (VMStateField[]) {
1219        VMSTATE_PCI_DEVICE(parent_obj, struct pci_vmsvga_state_s),
1220        VMSTATE_STRUCT(chip, struct pci_vmsvga_state_s, 0,
1221                       vmstate_vmware_vga_internal, struct vmsvga_state_s),
1222        VMSTATE_END_OF_LIST()
1223    }
1224};
1225
1226static const GraphicHwOps vmsvga_ops = {
1227    .invalidate  = vmsvga_invalidate_display,
1228    .gfx_update  = vmsvga_update_display,
1229    .text_update = vmsvga_text_update,
1230};
1231
1232static void vmsvga_init(DeviceState *dev, struct vmsvga_state_s *s,
1233                        MemoryRegion *address_space, MemoryRegion *io)
1234{
1235    s->scratch_size = SVGA_SCRATCH_SIZE;
1236    s->scratch = g_malloc(s->scratch_size * 4);
1237
1238    s->vga.con = graphic_console_init(dev, 0, &vmsvga_ops, s);
1239
1240    s->fifo_size = SVGA_FIFO_SIZE;
1241    memory_region_init_ram(&s->fifo_ram, NULL, "vmsvga.fifo", s->fifo_size,
1242                           &error_fatal);
1243    s->fifo_ptr = memory_region_get_ram_ptr(&s->fifo_ram);
1244
1245    vga_common_init(&s->vga, OBJECT(dev));
1246    vga_init(&s->vga, OBJECT(dev), address_space, io, true);
1247    vmstate_register(NULL, 0, &vmstate_vga_common, &s->vga);
1248    s->new_depth = 32;
1249}
1250
1251static uint64_t vmsvga_io_read(void *opaque, hwaddr addr, unsigned size)
1252{
1253    struct vmsvga_state_s *s = opaque;
1254
1255    switch (addr) {
1256    case SVGA_IO_MUL * SVGA_INDEX_PORT: return vmsvga_index_read(s, addr);
1257    case SVGA_IO_MUL * SVGA_VALUE_PORT: return vmsvga_value_read(s, addr);
1258    case SVGA_IO_MUL * SVGA_BIOS_PORT: return vmsvga_bios_read(s, addr);
1259    default: return -1u;
1260    }
1261}
1262
1263static void vmsvga_io_write(void *opaque, hwaddr addr,
1264                            uint64_t data, unsigned size)
1265{
1266    struct vmsvga_state_s *s = opaque;
1267
1268    switch (addr) {
1269    case SVGA_IO_MUL * SVGA_INDEX_PORT:
1270        vmsvga_index_write(s, addr, data);
1271        break;
1272    case SVGA_IO_MUL * SVGA_VALUE_PORT:
1273        vmsvga_value_write(s, addr, data);
1274        break;
1275    case SVGA_IO_MUL * SVGA_BIOS_PORT:
1276        vmsvga_bios_write(s, addr, data);
1277        break;
1278    }
1279}
1280
1281static const MemoryRegionOps vmsvga_io_ops = {
1282    .read = vmsvga_io_read,
1283    .write = vmsvga_io_write,
1284    .endianness = DEVICE_LITTLE_ENDIAN,
1285    .valid = {
1286        .min_access_size = 4,
1287        .max_access_size = 4,
1288        .unaligned = true,
1289    },
1290    .impl = {
1291        .unaligned = true,
1292    },
1293};
1294
1295static void pci_vmsvga_realize(PCIDevice *dev, Error **errp)
1296{
1297    struct pci_vmsvga_state_s *s = VMWARE_SVGA(dev);
1298
1299    dev->config[PCI_CACHE_LINE_SIZE] = 0x08;
1300    dev->config[PCI_LATENCY_TIMER] = 0x40;
1301    dev->config[PCI_INTERRUPT_LINE] = 0xff;          /* End */
1302
1303    memory_region_init_io(&s->io_bar, NULL, &vmsvga_io_ops, &s->chip,
1304                          "vmsvga-io", 0x10);
1305    memory_region_set_flush_coalesced(&s->io_bar);
1306    pci_register_bar(dev, 0, PCI_BASE_ADDRESS_SPACE_IO, &s->io_bar);
1307
1308    vmsvga_init(DEVICE(dev), &s->chip,
1309                pci_address_space(dev), pci_address_space_io(dev));
1310
1311    pci_register_bar(dev, 1, PCI_BASE_ADDRESS_MEM_PREFETCH,
1312                     &s->chip.vga.vram);
1313    pci_register_bar(dev, 2, PCI_BASE_ADDRESS_MEM_PREFETCH,
1314                     &s->chip.fifo_ram);
1315}
1316
1317static Property vga_vmware_properties[] = {
1318    DEFINE_PROP_UINT32("vgamem_mb", struct pci_vmsvga_state_s,
1319                       chip.vga.vram_size_mb, 16),
1320    DEFINE_PROP_BOOL("global-vmstate", struct pci_vmsvga_state_s,
1321                     chip.vga.global_vmstate, false),
1322    DEFINE_PROP_END_OF_LIST(),
1323};
1324
1325static void vmsvga_class_init(ObjectClass *klass, void *data)
1326{
1327    DeviceClass *dc = DEVICE_CLASS(klass);
1328    PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
1329
1330    k->realize = pci_vmsvga_realize;
1331    k->romfile = "vgabios-vmware.bin";
1332    k->vendor_id = PCI_VENDOR_ID_VMWARE;
1333    k->device_id = SVGA_PCI_DEVICE_ID;
1334    k->class_id = PCI_CLASS_DISPLAY_VGA;
1335    k->subsystem_vendor_id = PCI_VENDOR_ID_VMWARE;
1336    k->subsystem_id = SVGA_PCI_DEVICE_ID;
1337    dc->reset = vmsvga_reset;
1338    dc->vmsd = &vmstate_vmware_vga;
1339    device_class_set_props(dc, vga_vmware_properties);
1340    dc->hotpluggable = false;
1341    set_bit(DEVICE_CATEGORY_DISPLAY, dc->categories);
1342}
1343
1344static const TypeInfo vmsvga_info = {
1345    .name          = TYPE_VMWARE_SVGA,
1346    .parent        = TYPE_PCI_DEVICE,
1347    .instance_size = sizeof(struct pci_vmsvga_state_s),
1348    .class_init    = vmsvga_class_init,
1349    .interfaces = (InterfaceInfo[]) {
1350        { INTERFACE_CONVENTIONAL_PCI_DEVICE },
1351        { },
1352    },
1353};
1354
1355static void vmsvga_register_types(void)
1356{
1357    type_register_static(&vmsvga_info);
1358}
1359
1360type_init(vmsvga_register_types)
1361