xref: /openbmc/qemu/hw/display/vmware_vga.c (revision 4a09d0bb)
1 /*
2  * QEMU VMware-SVGA "chipset".
3  *
4  * Copyright (c) 2007 Andrzej Zaborowski  <balrog@zabor.org>
5  *
6  * Permission is hereby granted, free of charge, to any person obtaining a copy
7  * of this software and associated documentation files (the "Software"), to deal
8  * in the Software without restriction, including without limitation the rights
9  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10  * copies of the Software, and to permit persons to whom the Software is
11  * furnished to do so, subject to the following conditions:
12  *
13  * The above copyright notice and this permission notice shall be included in
14  * all copies or substantial portions of the Software.
15  *
16  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
19  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22  * THE SOFTWARE.
23  */
24 #include "qemu/osdep.h"
25 #include "qapi/error.h"
26 #include "hw/hw.h"
27 #include "hw/loader.h"
28 #include "trace.h"
29 #include "ui/console.h"
30 #include "ui/vnc.h"
31 #include "hw/pci/pci.h"
32 
33 #undef VERBOSE
34 #define HW_RECT_ACCEL
35 #define HW_FILL_ACCEL
36 #define HW_MOUSE_ACCEL
37 
38 #include "vga_int.h"
39 
40 /* See http://vmware-svga.sf.net/ for some documentation on VMWare SVGA */
41 
42 struct vmsvga_state_s {
43     VGACommonState vga;
44 
45     int invalidated;
46     int enable;
47     int config;
48     struct {
49         int id;
50         int x;
51         int y;
52         int on;
53     } cursor;
54 
55     int index;
56     int scratch_size;
57     uint32_t *scratch;
58     int new_width;
59     int new_height;
60     int new_depth;
61     uint32_t guest;
62     uint32_t svgaid;
63     int syncing;
64 
65     MemoryRegion fifo_ram;
66     uint8_t *fifo_ptr;
67     unsigned int fifo_size;
68 
69     uint32_t *fifo;
70     uint32_t fifo_min;
71     uint32_t fifo_max;
72     uint32_t fifo_next;
73     uint32_t fifo_stop;
74 
75 #define REDRAW_FIFO_LEN  512
76     struct vmsvga_rect_s {
77         int x, y, w, h;
78     } redraw_fifo[REDRAW_FIFO_LEN];
79     int redraw_fifo_first, redraw_fifo_last;
80 };
81 
82 #define TYPE_VMWARE_SVGA "vmware-svga"
83 
84 #define VMWARE_SVGA(obj) \
85     OBJECT_CHECK(struct pci_vmsvga_state_s, (obj), TYPE_VMWARE_SVGA)
86 
87 struct pci_vmsvga_state_s {
88     /*< private >*/
89     PCIDevice parent_obj;
90     /*< public >*/
91 
92     struct vmsvga_state_s chip;
93     MemoryRegion io_bar;
94 };
95 
96 #define SVGA_MAGIC              0x900000UL
97 #define SVGA_MAKE_ID(ver)       (SVGA_MAGIC << 8 | (ver))
98 #define SVGA_ID_0               SVGA_MAKE_ID(0)
99 #define SVGA_ID_1               SVGA_MAKE_ID(1)
100 #define SVGA_ID_2               SVGA_MAKE_ID(2)
101 
102 #define SVGA_LEGACY_BASE_PORT   0x4560
103 #define SVGA_INDEX_PORT         0x0
104 #define SVGA_VALUE_PORT         0x1
105 #define SVGA_BIOS_PORT          0x2
106 
107 #define SVGA_VERSION_2
108 
109 #ifdef SVGA_VERSION_2
110 # define SVGA_ID                SVGA_ID_2
111 # define SVGA_IO_BASE           SVGA_LEGACY_BASE_PORT
112 # define SVGA_IO_MUL            1
113 # define SVGA_FIFO_SIZE         0x10000
114 # define SVGA_PCI_DEVICE_ID     PCI_DEVICE_ID_VMWARE_SVGA2
115 #else
116 # define SVGA_ID                SVGA_ID_1
117 # define SVGA_IO_BASE           SVGA_LEGACY_BASE_PORT
118 # define SVGA_IO_MUL            4
119 # define SVGA_FIFO_SIZE         0x10000
120 # define SVGA_PCI_DEVICE_ID     PCI_DEVICE_ID_VMWARE_SVGA
121 #endif
122 
123 enum {
124     /* ID 0, 1 and 2 registers */
125     SVGA_REG_ID = 0,
126     SVGA_REG_ENABLE = 1,
127     SVGA_REG_WIDTH = 2,
128     SVGA_REG_HEIGHT = 3,
129     SVGA_REG_MAX_WIDTH = 4,
130     SVGA_REG_MAX_HEIGHT = 5,
131     SVGA_REG_DEPTH = 6,
132     SVGA_REG_BITS_PER_PIXEL = 7,        /* Current bpp in the guest */
133     SVGA_REG_PSEUDOCOLOR = 8,
134     SVGA_REG_RED_MASK = 9,
135     SVGA_REG_GREEN_MASK = 10,
136     SVGA_REG_BLUE_MASK = 11,
137     SVGA_REG_BYTES_PER_LINE = 12,
138     SVGA_REG_FB_START = 13,
139     SVGA_REG_FB_OFFSET = 14,
140     SVGA_REG_VRAM_SIZE = 15,
141     SVGA_REG_FB_SIZE = 16,
142 
143     /* ID 1 and 2 registers */
144     SVGA_REG_CAPABILITIES = 17,
145     SVGA_REG_MEM_START = 18,            /* Memory for command FIFO */
146     SVGA_REG_MEM_SIZE = 19,
147     SVGA_REG_CONFIG_DONE = 20,          /* Set when memory area configured */
148     SVGA_REG_SYNC = 21,                 /* Write to force synchronization */
149     SVGA_REG_BUSY = 22,                 /* Read to check if sync is done */
150     SVGA_REG_GUEST_ID = 23,             /* Set guest OS identifier */
151     SVGA_REG_CURSOR_ID = 24,            /* ID of cursor */
152     SVGA_REG_CURSOR_X = 25,             /* Set cursor X position */
153     SVGA_REG_CURSOR_Y = 26,             /* Set cursor Y position */
154     SVGA_REG_CURSOR_ON = 27,            /* Turn cursor on/off */
155     SVGA_REG_HOST_BITS_PER_PIXEL = 28,  /* Current bpp in the host */
156     SVGA_REG_SCRATCH_SIZE = 29,         /* Number of scratch registers */
157     SVGA_REG_MEM_REGS = 30,             /* Number of FIFO registers */
158     SVGA_REG_NUM_DISPLAYS = 31,         /* Number of guest displays */
159     SVGA_REG_PITCHLOCK = 32,            /* Fixed pitch for all modes */
160 
161     SVGA_PALETTE_BASE = 1024,           /* Base of SVGA color map */
162     SVGA_PALETTE_END  = SVGA_PALETTE_BASE + 767,
163     SVGA_SCRATCH_BASE = SVGA_PALETTE_BASE + 768,
164 };
165 
166 #define SVGA_CAP_NONE                   0
167 #define SVGA_CAP_RECT_FILL              (1 << 0)
168 #define SVGA_CAP_RECT_COPY              (1 << 1)
169 #define SVGA_CAP_RECT_PAT_FILL          (1 << 2)
170 #define SVGA_CAP_LEGACY_OFFSCREEN       (1 << 3)
171 #define SVGA_CAP_RASTER_OP              (1 << 4)
172 #define SVGA_CAP_CURSOR                 (1 << 5)
173 #define SVGA_CAP_CURSOR_BYPASS          (1 << 6)
174 #define SVGA_CAP_CURSOR_BYPASS_2        (1 << 7)
175 #define SVGA_CAP_8BIT_EMULATION         (1 << 8)
176 #define SVGA_CAP_ALPHA_CURSOR           (1 << 9)
177 #define SVGA_CAP_GLYPH                  (1 << 10)
178 #define SVGA_CAP_GLYPH_CLIPPING         (1 << 11)
179 #define SVGA_CAP_OFFSCREEN_1            (1 << 12)
180 #define SVGA_CAP_ALPHA_BLEND            (1 << 13)
181 #define SVGA_CAP_3D                     (1 << 14)
182 #define SVGA_CAP_EXTENDED_FIFO          (1 << 15)
183 #define SVGA_CAP_MULTIMON               (1 << 16)
184 #define SVGA_CAP_PITCHLOCK              (1 << 17)
185 
186 /*
187  * FIFO offsets (seen as an array of 32-bit words)
188  */
189 enum {
190     /*
191      * The original defined FIFO offsets
192      */
193     SVGA_FIFO_MIN = 0,
194     SVGA_FIFO_MAX,      /* The distance from MIN to MAX must be at least 10K */
195     SVGA_FIFO_NEXT,
196     SVGA_FIFO_STOP,
197 
198     /*
199      * Additional offsets added as of SVGA_CAP_EXTENDED_FIFO
200      */
201     SVGA_FIFO_CAPABILITIES = 4,
202     SVGA_FIFO_FLAGS,
203     SVGA_FIFO_FENCE,
204     SVGA_FIFO_3D_HWVERSION,
205     SVGA_FIFO_PITCHLOCK,
206 };
207 
208 #define SVGA_FIFO_CAP_NONE              0
209 #define SVGA_FIFO_CAP_FENCE             (1 << 0)
210 #define SVGA_FIFO_CAP_ACCELFRONT        (1 << 1)
211 #define SVGA_FIFO_CAP_PITCHLOCK         (1 << 2)
212 
213 #define SVGA_FIFO_FLAG_NONE             0
214 #define SVGA_FIFO_FLAG_ACCELFRONT       (1 << 0)
215 
216 /* These values can probably be changed arbitrarily.  */
217 #define SVGA_SCRATCH_SIZE               0x8000
218 #define SVGA_MAX_WIDTH                  ROUND_UP(2360, VNC_DIRTY_PIXELS_PER_BIT)
219 #define SVGA_MAX_HEIGHT                 1770
220 
221 #ifdef VERBOSE
222 # define GUEST_OS_BASE          0x5001
223 static const char *vmsvga_guest_id[] = {
224     [0x00] = "Dos",
225     [0x01] = "Windows 3.1",
226     [0x02] = "Windows 95",
227     [0x03] = "Windows 98",
228     [0x04] = "Windows ME",
229     [0x05] = "Windows NT",
230     [0x06] = "Windows 2000",
231     [0x07] = "Linux",
232     [0x08] = "OS/2",
233     [0x09] = "an unknown OS",
234     [0x0a] = "BSD",
235     [0x0b] = "Whistler",
236     [0x0c] = "an unknown OS",
237     [0x0d] = "an unknown OS",
238     [0x0e] = "an unknown OS",
239     [0x0f] = "an unknown OS",
240     [0x10] = "an unknown OS",
241     [0x11] = "an unknown OS",
242     [0x12] = "an unknown OS",
243     [0x13] = "an unknown OS",
244     [0x14] = "an unknown OS",
245     [0x15] = "Windows 2003",
246 };
247 #endif
248 
249 enum {
250     SVGA_CMD_INVALID_CMD = 0,
251     SVGA_CMD_UPDATE = 1,
252     SVGA_CMD_RECT_FILL = 2,
253     SVGA_CMD_RECT_COPY = 3,
254     SVGA_CMD_DEFINE_BITMAP = 4,
255     SVGA_CMD_DEFINE_BITMAP_SCANLINE = 5,
256     SVGA_CMD_DEFINE_PIXMAP = 6,
257     SVGA_CMD_DEFINE_PIXMAP_SCANLINE = 7,
258     SVGA_CMD_RECT_BITMAP_FILL = 8,
259     SVGA_CMD_RECT_PIXMAP_FILL = 9,
260     SVGA_CMD_RECT_BITMAP_COPY = 10,
261     SVGA_CMD_RECT_PIXMAP_COPY = 11,
262     SVGA_CMD_FREE_OBJECT = 12,
263     SVGA_CMD_RECT_ROP_FILL = 13,
264     SVGA_CMD_RECT_ROP_COPY = 14,
265     SVGA_CMD_RECT_ROP_BITMAP_FILL = 15,
266     SVGA_CMD_RECT_ROP_PIXMAP_FILL = 16,
267     SVGA_CMD_RECT_ROP_BITMAP_COPY = 17,
268     SVGA_CMD_RECT_ROP_PIXMAP_COPY = 18,
269     SVGA_CMD_DEFINE_CURSOR = 19,
270     SVGA_CMD_DISPLAY_CURSOR = 20,
271     SVGA_CMD_MOVE_CURSOR = 21,
272     SVGA_CMD_DEFINE_ALPHA_CURSOR = 22,
273     SVGA_CMD_DRAW_GLYPH = 23,
274     SVGA_CMD_DRAW_GLYPH_CLIPPED = 24,
275     SVGA_CMD_UPDATE_VERBOSE = 25,
276     SVGA_CMD_SURFACE_FILL = 26,
277     SVGA_CMD_SURFACE_COPY = 27,
278     SVGA_CMD_SURFACE_ALPHA_BLEND = 28,
279     SVGA_CMD_FRONT_ROP_FILL = 29,
280     SVGA_CMD_FENCE = 30,
281 };
282 
283 /* Legal values for the SVGA_REG_CURSOR_ON register in cursor bypass mode */
284 enum {
285     SVGA_CURSOR_ON_HIDE = 0,
286     SVGA_CURSOR_ON_SHOW = 1,
287     SVGA_CURSOR_ON_REMOVE_FROM_FB = 2,
288     SVGA_CURSOR_ON_RESTORE_TO_FB = 3,
289 };
290 
291 static inline bool vmsvga_verify_rect(DisplaySurface *surface,
292                                       const char *name,
293                                       int x, int y, int w, int h)
294 {
295     if (x < 0) {
296         fprintf(stderr, "%s: x was < 0 (%d)\n", name, x);
297         return false;
298     }
299     if (x > SVGA_MAX_WIDTH) {
300         fprintf(stderr, "%s: x was > %d (%d)\n", name, SVGA_MAX_WIDTH, x);
301         return false;
302     }
303     if (w < 0) {
304         fprintf(stderr, "%s: w was < 0 (%d)\n", name, w);
305         return false;
306     }
307     if (w > SVGA_MAX_WIDTH) {
308         fprintf(stderr, "%s: w was > %d (%d)\n", name, SVGA_MAX_WIDTH, w);
309         return false;
310     }
311     if (x + w > surface_width(surface)) {
312         fprintf(stderr, "%s: width was > %d (x: %d, w: %d)\n",
313                 name, surface_width(surface), x, w);
314         return false;
315     }
316 
317     if (y < 0) {
318         fprintf(stderr, "%s: y was < 0 (%d)\n", name, y);
319         return false;
320     }
321     if (y > SVGA_MAX_HEIGHT) {
322         fprintf(stderr, "%s: y was > %d (%d)\n", name, SVGA_MAX_HEIGHT, y);
323         return false;
324     }
325     if (h < 0) {
326         fprintf(stderr, "%s: h was < 0 (%d)\n", name, h);
327         return false;
328     }
329     if (h > SVGA_MAX_HEIGHT) {
330         fprintf(stderr, "%s: h was > %d (%d)\n", name, SVGA_MAX_HEIGHT, h);
331         return false;
332     }
333     if (y + h > surface_height(surface)) {
334         fprintf(stderr, "%s: update height > %d (y: %d, h: %d)\n",
335                 name, surface_height(surface), y, h);
336         return false;
337     }
338 
339     return true;
340 }
341 
342 static inline void vmsvga_update_rect(struct vmsvga_state_s *s,
343                                       int x, int y, int w, int h)
344 {
345     DisplaySurface *surface = qemu_console_surface(s->vga.con);
346     int line;
347     int bypl;
348     int width;
349     int start;
350     uint8_t *src;
351     uint8_t *dst;
352 
353     if (!vmsvga_verify_rect(surface, __func__, x, y, w, h)) {
354         /* go for a fullscreen update as fallback */
355         x = 0;
356         y = 0;
357         w = surface_width(surface);
358         h = surface_height(surface);
359     }
360 
361     bypl = surface_stride(surface);
362     width = surface_bytes_per_pixel(surface) * w;
363     start = surface_bytes_per_pixel(surface) * x + bypl * y;
364     src = s->vga.vram_ptr + start;
365     dst = surface_data(surface) + start;
366 
367     for (line = h; line > 0; line--, src += bypl, dst += bypl) {
368         memcpy(dst, src, width);
369     }
370     dpy_gfx_update(s->vga.con, x, y, w, h);
371 }
372 
373 static inline void vmsvga_update_rect_delayed(struct vmsvga_state_s *s,
374                 int x, int y, int w, int h)
375 {
376     struct vmsvga_rect_s *rect = &s->redraw_fifo[s->redraw_fifo_last++];
377 
378     s->redraw_fifo_last &= REDRAW_FIFO_LEN - 1;
379     rect->x = x;
380     rect->y = y;
381     rect->w = w;
382     rect->h = h;
383 }
384 
385 static inline void vmsvga_update_rect_flush(struct vmsvga_state_s *s)
386 {
387     struct vmsvga_rect_s *rect;
388 
389     if (s->invalidated) {
390         s->redraw_fifo_first = s->redraw_fifo_last;
391         return;
392     }
393     /* Overlapping region updates can be optimised out here - if someone
394      * knows a smart algorithm to do that, please share.  */
395     while (s->redraw_fifo_first != s->redraw_fifo_last) {
396         rect = &s->redraw_fifo[s->redraw_fifo_first++];
397         s->redraw_fifo_first &= REDRAW_FIFO_LEN - 1;
398         vmsvga_update_rect(s, rect->x, rect->y, rect->w, rect->h);
399     }
400 }
401 
402 #ifdef HW_RECT_ACCEL
403 static inline int vmsvga_copy_rect(struct vmsvga_state_s *s,
404                 int x0, int y0, int x1, int y1, int w, int h)
405 {
406     DisplaySurface *surface = qemu_console_surface(s->vga.con);
407     uint8_t *vram = s->vga.vram_ptr;
408     int bypl = surface_stride(surface);
409     int bypp = surface_bytes_per_pixel(surface);
410     int width = bypp * w;
411     int line = h;
412     uint8_t *ptr[2];
413 
414     if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/src", x0, y0, w, h)) {
415         return -1;
416     }
417     if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/dst", x1, y1, w, h)) {
418         return -1;
419     }
420 
421     if (y1 > y0) {
422         ptr[0] = vram + bypp * x0 + bypl * (y0 + h - 1);
423         ptr[1] = vram + bypp * x1 + bypl * (y1 + h - 1);
424         for (; line > 0; line --, ptr[0] -= bypl, ptr[1] -= bypl) {
425             memmove(ptr[1], ptr[0], width);
426         }
427     } else {
428         ptr[0] = vram + bypp * x0 + bypl * y0;
429         ptr[1] = vram + bypp * x1 + bypl * y1;
430         for (; line > 0; line --, ptr[0] += bypl, ptr[1] += bypl) {
431             memmove(ptr[1], ptr[0], width);
432         }
433     }
434 
435     vmsvga_update_rect_delayed(s, x1, y1, w, h);
436     return 0;
437 }
438 #endif
439 
440 #ifdef HW_FILL_ACCEL
441 static inline int vmsvga_fill_rect(struct vmsvga_state_s *s,
442                 uint32_t c, int x, int y, int w, int h)
443 {
444     DisplaySurface *surface = qemu_console_surface(s->vga.con);
445     int bypl = surface_stride(surface);
446     int width = surface_bytes_per_pixel(surface) * w;
447     int line = h;
448     int column;
449     uint8_t *fst;
450     uint8_t *dst;
451     uint8_t *src;
452     uint8_t col[4];
453 
454     if (!vmsvga_verify_rect(surface, __func__, x, y, w, h)) {
455         return -1;
456     }
457 
458     col[0] = c;
459     col[1] = c >> 8;
460     col[2] = c >> 16;
461     col[3] = c >> 24;
462 
463     fst = s->vga.vram_ptr + surface_bytes_per_pixel(surface) * x + bypl * y;
464 
465     if (line--) {
466         dst = fst;
467         src = col;
468         for (column = width; column > 0; column--) {
469             *(dst++) = *(src++);
470             if (src - col == surface_bytes_per_pixel(surface)) {
471                 src = col;
472             }
473         }
474         dst = fst;
475         for (; line > 0; line--) {
476             dst += bypl;
477             memcpy(dst, fst, width);
478         }
479     }
480 
481     vmsvga_update_rect_delayed(s, x, y, w, h);
482     return 0;
483 }
484 #endif
485 
486 struct vmsvga_cursor_definition_s {
487     uint32_t width;
488     uint32_t height;
489     int id;
490     uint32_t bpp;
491     int hot_x;
492     int hot_y;
493     uint32_t mask[1024];
494     uint32_t image[4096];
495 };
496 
497 #define SVGA_BITMAP_SIZE(w, h)          ((((w) + 31) >> 5) * (h))
498 #define SVGA_PIXMAP_SIZE(w, h, bpp)     (((((w) * (bpp)) + 31) >> 5) * (h))
499 
500 #ifdef HW_MOUSE_ACCEL
501 static inline void vmsvga_cursor_define(struct vmsvga_state_s *s,
502                 struct vmsvga_cursor_definition_s *c)
503 {
504     QEMUCursor *qc;
505     int i, pixels;
506 
507     qc = cursor_alloc(c->width, c->height);
508     qc->hot_x = c->hot_x;
509     qc->hot_y = c->hot_y;
510     switch (c->bpp) {
511     case 1:
512         cursor_set_mono(qc, 0xffffff, 0x000000, (void *)c->image,
513                         1, (void *)c->mask);
514 #ifdef DEBUG
515         cursor_print_ascii_art(qc, "vmware/mono");
516 #endif
517         break;
518     case 32:
519         /* fill alpha channel from mask, set color to zero */
520         cursor_set_mono(qc, 0x000000, 0x000000, (void *)c->mask,
521                         1, (void *)c->mask);
522         /* add in rgb values */
523         pixels = c->width * c->height;
524         for (i = 0; i < pixels; i++) {
525             qc->data[i] |= c->image[i] & 0xffffff;
526         }
527 #ifdef DEBUG
528         cursor_print_ascii_art(qc, "vmware/32bit");
529 #endif
530         break;
531     default:
532         fprintf(stderr, "%s: unhandled bpp %d, using fallback cursor\n",
533                 __func__, c->bpp);
534         cursor_put(qc);
535         qc = cursor_builtin_left_ptr();
536     }
537 
538     dpy_cursor_define(s->vga.con, qc);
539     cursor_put(qc);
540 }
541 #endif
542 
543 static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
544 {
545     int num;
546 
547     if (!s->config || !s->enable) {
548         return 0;
549     }
550 
551     s->fifo_min  = le32_to_cpu(s->fifo[SVGA_FIFO_MIN]);
552     s->fifo_max  = le32_to_cpu(s->fifo[SVGA_FIFO_MAX]);
553     s->fifo_next = le32_to_cpu(s->fifo[SVGA_FIFO_NEXT]);
554     s->fifo_stop = le32_to_cpu(s->fifo[SVGA_FIFO_STOP]);
555 
556     /* Check range and alignment.  */
557     if ((s->fifo_min | s->fifo_max | s->fifo_next | s->fifo_stop) & 3) {
558         return 0;
559     }
560     if (s->fifo_min < sizeof(uint32_t) * 4) {
561         return 0;
562     }
563     if (s->fifo_max > SVGA_FIFO_SIZE ||
564         s->fifo_min >= SVGA_FIFO_SIZE ||
565         s->fifo_stop >= SVGA_FIFO_SIZE ||
566         s->fifo_next >= SVGA_FIFO_SIZE) {
567         return 0;
568     }
569     if (s->fifo_max < s->fifo_min + 10 * 1024) {
570         return 0;
571     }
572 
573     num = s->fifo_next - s->fifo_stop;
574     if (num < 0) {
575         num += s->fifo_max - s->fifo_min;
576     }
577     return num >> 2;
578 }
579 
580 static inline uint32_t vmsvga_fifo_read_raw(struct vmsvga_state_s *s)
581 {
582     uint32_t cmd = s->fifo[s->fifo_stop >> 2];
583 
584     s->fifo_stop += 4;
585     if (s->fifo_stop >= s->fifo_max) {
586         s->fifo_stop = s->fifo_min;
587     }
588     s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop);
589     return cmd;
590 }
591 
592 static inline uint32_t vmsvga_fifo_read(struct vmsvga_state_s *s)
593 {
594     return le32_to_cpu(vmsvga_fifo_read_raw(s));
595 }
596 
597 static void vmsvga_fifo_run(struct vmsvga_state_s *s)
598 {
599     uint32_t cmd, colour;
600     int args, len, maxloop = 1024;
601     int x, y, dx, dy, width, height;
602     struct vmsvga_cursor_definition_s cursor;
603     uint32_t cmd_start;
604 
605     len = vmsvga_fifo_length(s);
606     while (len > 0 && --maxloop > 0) {
607         /* May need to go back to the start of the command if incomplete */
608         cmd_start = s->fifo_stop;
609 
610         switch (cmd = vmsvga_fifo_read(s)) {
611         case SVGA_CMD_UPDATE:
612         case SVGA_CMD_UPDATE_VERBOSE:
613             len -= 5;
614             if (len < 0) {
615                 goto rewind;
616             }
617 
618             x = vmsvga_fifo_read(s);
619             y = vmsvga_fifo_read(s);
620             width = vmsvga_fifo_read(s);
621             height = vmsvga_fifo_read(s);
622             vmsvga_update_rect_delayed(s, x, y, width, height);
623             break;
624 
625         case SVGA_CMD_RECT_FILL:
626             len -= 6;
627             if (len < 0) {
628                 goto rewind;
629             }
630 
631             colour = vmsvga_fifo_read(s);
632             x = vmsvga_fifo_read(s);
633             y = vmsvga_fifo_read(s);
634             width = vmsvga_fifo_read(s);
635             height = vmsvga_fifo_read(s);
636 #ifdef HW_FILL_ACCEL
637             if (vmsvga_fill_rect(s, colour, x, y, width, height) == 0) {
638                 break;
639             }
640 #endif
641             args = 0;
642             goto badcmd;
643 
644         case SVGA_CMD_RECT_COPY:
645             len -= 7;
646             if (len < 0) {
647                 goto rewind;
648             }
649 
650             x = vmsvga_fifo_read(s);
651             y = vmsvga_fifo_read(s);
652             dx = vmsvga_fifo_read(s);
653             dy = vmsvga_fifo_read(s);
654             width = vmsvga_fifo_read(s);
655             height = vmsvga_fifo_read(s);
656 #ifdef HW_RECT_ACCEL
657             if (vmsvga_copy_rect(s, x, y, dx, dy, width, height) == 0) {
658                 break;
659             }
660 #endif
661             args = 0;
662             goto badcmd;
663 
664         case SVGA_CMD_DEFINE_CURSOR:
665             len -= 8;
666             if (len < 0) {
667                 goto rewind;
668             }
669 
670             cursor.id = vmsvga_fifo_read(s);
671             cursor.hot_x = vmsvga_fifo_read(s);
672             cursor.hot_y = vmsvga_fifo_read(s);
673             cursor.width = x = vmsvga_fifo_read(s);
674             cursor.height = y = vmsvga_fifo_read(s);
675             vmsvga_fifo_read(s);
676             cursor.bpp = vmsvga_fifo_read(s);
677 
678             args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
679             if (cursor.width > 256
680                 || cursor.height > 256
681                 || cursor.bpp > 32
682                 || SVGA_BITMAP_SIZE(x, y)
683                     > sizeof(cursor.mask) / sizeof(cursor.mask[0])
684                 || SVGA_PIXMAP_SIZE(x, y, cursor.bpp)
685                     > sizeof(cursor.image) / sizeof(cursor.image[0])) {
686                     goto badcmd;
687             }
688 
689             len -= args;
690             if (len < 0) {
691                 goto rewind;
692             }
693 
694             for (args = 0; args < SVGA_BITMAP_SIZE(x, y); args++) {
695                 cursor.mask[args] = vmsvga_fifo_read_raw(s);
696             }
697             for (args = 0; args < SVGA_PIXMAP_SIZE(x, y, cursor.bpp); args++) {
698                 cursor.image[args] = vmsvga_fifo_read_raw(s);
699             }
700 #ifdef HW_MOUSE_ACCEL
701             vmsvga_cursor_define(s, &cursor);
702             break;
703 #else
704             args = 0;
705             goto badcmd;
706 #endif
707 
708         /*
709          * Other commands that we at least know the number of arguments
710          * for so we can avoid FIFO desync if driver uses them illegally.
711          */
712         case SVGA_CMD_DEFINE_ALPHA_CURSOR:
713             len -= 6;
714             if (len < 0) {
715                 goto rewind;
716             }
717             vmsvga_fifo_read(s);
718             vmsvga_fifo_read(s);
719             vmsvga_fifo_read(s);
720             x = vmsvga_fifo_read(s);
721             y = vmsvga_fifo_read(s);
722             args = x * y;
723             goto badcmd;
724         case SVGA_CMD_RECT_ROP_FILL:
725             args = 6;
726             goto badcmd;
727         case SVGA_CMD_RECT_ROP_COPY:
728             args = 7;
729             goto badcmd;
730         case SVGA_CMD_DRAW_GLYPH_CLIPPED:
731             len -= 4;
732             if (len < 0) {
733                 goto rewind;
734             }
735             vmsvga_fifo_read(s);
736             vmsvga_fifo_read(s);
737             args = 7 + (vmsvga_fifo_read(s) >> 2);
738             goto badcmd;
739         case SVGA_CMD_SURFACE_ALPHA_BLEND:
740             args = 12;
741             goto badcmd;
742 
743         /*
744          * Other commands that are not listed as depending on any
745          * CAPABILITIES bits, but are not described in the README either.
746          */
747         case SVGA_CMD_SURFACE_FILL:
748         case SVGA_CMD_SURFACE_COPY:
749         case SVGA_CMD_FRONT_ROP_FILL:
750         case SVGA_CMD_FENCE:
751         case SVGA_CMD_INVALID_CMD:
752             break; /* Nop */
753 
754         default:
755             args = 0;
756         badcmd:
757             len -= args;
758             if (len < 0) {
759                 goto rewind;
760             }
761             while (args--) {
762                 vmsvga_fifo_read(s);
763             }
764             printf("%s: Unknown command 0x%02x in SVGA command FIFO\n",
765                    __func__, cmd);
766             break;
767 
768         rewind:
769             s->fifo_stop = cmd_start;
770             s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop);
771             break;
772         }
773     }
774 
775     s->syncing = 0;
776 }
777 
778 static uint32_t vmsvga_index_read(void *opaque, uint32_t address)
779 {
780     struct vmsvga_state_s *s = opaque;
781 
782     return s->index;
783 }
784 
785 static void vmsvga_index_write(void *opaque, uint32_t address, uint32_t index)
786 {
787     struct vmsvga_state_s *s = opaque;
788 
789     s->index = index;
790 }
791 
792 static uint32_t vmsvga_value_read(void *opaque, uint32_t address)
793 {
794     uint32_t caps;
795     struct vmsvga_state_s *s = opaque;
796     DisplaySurface *surface = qemu_console_surface(s->vga.con);
797     PixelFormat pf;
798     uint32_t ret;
799 
800     switch (s->index) {
801     case SVGA_REG_ID:
802         ret = s->svgaid;
803         break;
804 
805     case SVGA_REG_ENABLE:
806         ret = s->enable;
807         break;
808 
809     case SVGA_REG_WIDTH:
810         ret = s->new_width ? s->new_width : surface_width(surface);
811         break;
812 
813     case SVGA_REG_HEIGHT:
814         ret = s->new_height ? s->new_height : surface_height(surface);
815         break;
816 
817     case SVGA_REG_MAX_WIDTH:
818         ret = SVGA_MAX_WIDTH;
819         break;
820 
821     case SVGA_REG_MAX_HEIGHT:
822         ret = SVGA_MAX_HEIGHT;
823         break;
824 
825     case SVGA_REG_DEPTH:
826         ret = (s->new_depth == 32) ? 24 : s->new_depth;
827         break;
828 
829     case SVGA_REG_BITS_PER_PIXEL:
830     case SVGA_REG_HOST_BITS_PER_PIXEL:
831         ret = s->new_depth;
832         break;
833 
834     case SVGA_REG_PSEUDOCOLOR:
835         ret = 0x0;
836         break;
837 
838     case SVGA_REG_RED_MASK:
839         pf = qemu_default_pixelformat(s->new_depth);
840         ret = pf.rmask;
841         break;
842 
843     case SVGA_REG_GREEN_MASK:
844         pf = qemu_default_pixelformat(s->new_depth);
845         ret = pf.gmask;
846         break;
847 
848     case SVGA_REG_BLUE_MASK:
849         pf = qemu_default_pixelformat(s->new_depth);
850         ret = pf.bmask;
851         break;
852 
853     case SVGA_REG_BYTES_PER_LINE:
854         if (s->new_width) {
855             ret = (s->new_depth * s->new_width) / 8;
856         } else {
857             ret = surface_stride(surface);
858         }
859         break;
860 
861     case SVGA_REG_FB_START: {
862         struct pci_vmsvga_state_s *pci_vmsvga
863             = container_of(s, struct pci_vmsvga_state_s, chip);
864         ret = pci_get_bar_addr(PCI_DEVICE(pci_vmsvga), 1);
865         break;
866     }
867 
868     case SVGA_REG_FB_OFFSET:
869         ret = 0x0;
870         break;
871 
872     case SVGA_REG_VRAM_SIZE:
873         ret = s->vga.vram_size; /* No physical VRAM besides the framebuffer */
874         break;
875 
876     case SVGA_REG_FB_SIZE:
877         ret = s->vga.vram_size;
878         break;
879 
880     case SVGA_REG_CAPABILITIES:
881         caps = SVGA_CAP_NONE;
882 #ifdef HW_RECT_ACCEL
883         caps |= SVGA_CAP_RECT_COPY;
884 #endif
885 #ifdef HW_FILL_ACCEL
886         caps |= SVGA_CAP_RECT_FILL;
887 #endif
888 #ifdef HW_MOUSE_ACCEL
889         if (dpy_cursor_define_supported(s->vga.con)) {
890             caps |= SVGA_CAP_CURSOR | SVGA_CAP_CURSOR_BYPASS_2 |
891                     SVGA_CAP_CURSOR_BYPASS;
892         }
893 #endif
894         ret = caps;
895         break;
896 
897     case SVGA_REG_MEM_START: {
898         struct pci_vmsvga_state_s *pci_vmsvga
899             = container_of(s, struct pci_vmsvga_state_s, chip);
900         ret = pci_get_bar_addr(PCI_DEVICE(pci_vmsvga), 2);
901         break;
902     }
903 
904     case SVGA_REG_MEM_SIZE:
905         ret = s->fifo_size;
906         break;
907 
908     case SVGA_REG_CONFIG_DONE:
909         ret = s->config;
910         break;
911 
912     case SVGA_REG_SYNC:
913     case SVGA_REG_BUSY:
914         ret = s->syncing;
915         break;
916 
917     case SVGA_REG_GUEST_ID:
918         ret = s->guest;
919         break;
920 
921     case SVGA_REG_CURSOR_ID:
922         ret = s->cursor.id;
923         break;
924 
925     case SVGA_REG_CURSOR_X:
926         ret = s->cursor.x;
927         break;
928 
929     case SVGA_REG_CURSOR_Y:
930         ret = s->cursor.y;
931         break;
932 
933     case SVGA_REG_CURSOR_ON:
934         ret = s->cursor.on;
935         break;
936 
937     case SVGA_REG_SCRATCH_SIZE:
938         ret = s->scratch_size;
939         break;
940 
941     case SVGA_REG_MEM_REGS:
942     case SVGA_REG_NUM_DISPLAYS:
943     case SVGA_REG_PITCHLOCK:
944     case SVGA_PALETTE_BASE ... SVGA_PALETTE_END:
945         ret = 0;
946         break;
947 
948     default:
949         if (s->index >= SVGA_SCRATCH_BASE &&
950             s->index < SVGA_SCRATCH_BASE + s->scratch_size) {
951             ret = s->scratch[s->index - SVGA_SCRATCH_BASE];
952             break;
953         }
954         printf("%s: Bad register %02x\n", __func__, s->index);
955         ret = 0;
956         break;
957     }
958 
959     if (s->index >= SVGA_SCRATCH_BASE) {
960         trace_vmware_scratch_read(s->index, ret);
961     } else if (s->index >= SVGA_PALETTE_BASE) {
962         trace_vmware_palette_read(s->index, ret);
963     } else {
964         trace_vmware_value_read(s->index, ret);
965     }
966     return ret;
967 }
968 
969 static void vmsvga_value_write(void *opaque, uint32_t address, uint32_t value)
970 {
971     struct vmsvga_state_s *s = opaque;
972 
973     if (s->index >= SVGA_SCRATCH_BASE) {
974         trace_vmware_scratch_write(s->index, value);
975     } else if (s->index >= SVGA_PALETTE_BASE) {
976         trace_vmware_palette_write(s->index, value);
977     } else {
978         trace_vmware_value_write(s->index, value);
979     }
980     switch (s->index) {
981     case SVGA_REG_ID:
982         if (value == SVGA_ID_2 || value == SVGA_ID_1 || value == SVGA_ID_0) {
983             s->svgaid = value;
984         }
985         break;
986 
987     case SVGA_REG_ENABLE:
988         s->enable = !!value;
989         s->invalidated = 1;
990         s->vga.hw_ops->invalidate(&s->vga);
991         if (s->enable && s->config) {
992             vga_dirty_log_stop(&s->vga);
993         } else {
994             vga_dirty_log_start(&s->vga);
995         }
996         break;
997 
998     case SVGA_REG_WIDTH:
999         if (value <= SVGA_MAX_WIDTH) {
1000             s->new_width = value;
1001             s->invalidated = 1;
1002         } else {
1003             printf("%s: Bad width: %i\n", __func__, value);
1004         }
1005         break;
1006 
1007     case SVGA_REG_HEIGHT:
1008         if (value <= SVGA_MAX_HEIGHT) {
1009             s->new_height = value;
1010             s->invalidated = 1;
1011         } else {
1012             printf("%s: Bad height: %i\n", __func__, value);
1013         }
1014         break;
1015 
1016     case SVGA_REG_BITS_PER_PIXEL:
1017         if (value != 32) {
1018             printf("%s: Bad bits per pixel: %i bits\n", __func__, value);
1019             s->config = 0;
1020             s->invalidated = 1;
1021         }
1022         break;
1023 
1024     case SVGA_REG_CONFIG_DONE:
1025         if (value) {
1026             s->fifo = (uint32_t *) s->fifo_ptr;
1027             vga_dirty_log_stop(&s->vga);
1028         }
1029         s->config = !!value;
1030         break;
1031 
1032     case SVGA_REG_SYNC:
1033         s->syncing = 1;
1034         vmsvga_fifo_run(s); /* Or should we just wait for update_display? */
1035         break;
1036 
1037     case SVGA_REG_GUEST_ID:
1038         s->guest = value;
1039 #ifdef VERBOSE
1040         if (value >= GUEST_OS_BASE && value < GUEST_OS_BASE +
1041             ARRAY_SIZE(vmsvga_guest_id)) {
1042             printf("%s: guest runs %s.\n", __func__,
1043                    vmsvga_guest_id[value - GUEST_OS_BASE]);
1044         }
1045 #endif
1046         break;
1047 
1048     case SVGA_REG_CURSOR_ID:
1049         s->cursor.id = value;
1050         break;
1051 
1052     case SVGA_REG_CURSOR_X:
1053         s->cursor.x = value;
1054         break;
1055 
1056     case SVGA_REG_CURSOR_Y:
1057         s->cursor.y = value;
1058         break;
1059 
1060     case SVGA_REG_CURSOR_ON:
1061         s->cursor.on |= (value == SVGA_CURSOR_ON_SHOW);
1062         s->cursor.on &= (value != SVGA_CURSOR_ON_HIDE);
1063 #ifdef HW_MOUSE_ACCEL
1064         if (value <= SVGA_CURSOR_ON_SHOW) {
1065             dpy_mouse_set(s->vga.con, s->cursor.x, s->cursor.y, s->cursor.on);
1066         }
1067 #endif
1068         break;
1069 
1070     case SVGA_REG_DEPTH:
1071     case SVGA_REG_MEM_REGS:
1072     case SVGA_REG_NUM_DISPLAYS:
1073     case SVGA_REG_PITCHLOCK:
1074     case SVGA_PALETTE_BASE ... SVGA_PALETTE_END:
1075         break;
1076 
1077     default:
1078         if (s->index >= SVGA_SCRATCH_BASE &&
1079                 s->index < SVGA_SCRATCH_BASE + s->scratch_size) {
1080             s->scratch[s->index - SVGA_SCRATCH_BASE] = value;
1081             break;
1082         }
1083         printf("%s: Bad register %02x\n", __func__, s->index);
1084     }
1085 }
1086 
1087 static uint32_t vmsvga_bios_read(void *opaque, uint32_t address)
1088 {
1089     printf("%s: what are we supposed to return?\n", __func__);
1090     return 0xcafe;
1091 }
1092 
1093 static void vmsvga_bios_write(void *opaque, uint32_t address, uint32_t data)
1094 {
1095     printf("%s: what are we supposed to do with (%08x)?\n", __func__, data);
1096 }
1097 
1098 static inline void vmsvga_check_size(struct vmsvga_state_s *s)
1099 {
1100     DisplaySurface *surface = qemu_console_surface(s->vga.con);
1101 
1102     if (s->new_width != surface_width(surface) ||
1103         s->new_height != surface_height(surface) ||
1104         s->new_depth != surface_bits_per_pixel(surface)) {
1105         int stride = (s->new_depth * s->new_width) / 8;
1106         pixman_format_code_t format =
1107             qemu_default_pixman_format(s->new_depth, true);
1108         trace_vmware_setmode(s->new_width, s->new_height, s->new_depth);
1109         surface = qemu_create_displaysurface_from(s->new_width, s->new_height,
1110                                                   format, stride,
1111                                                   s->vga.vram_ptr);
1112         dpy_gfx_replace_surface(s->vga.con, surface);
1113         s->invalidated = 1;
1114     }
1115 }
1116 
1117 static void vmsvga_update_display(void *opaque)
1118 {
1119     struct vmsvga_state_s *s = opaque;
1120     DisplaySurface *surface;
1121     bool dirty = false;
1122 
1123     if (!s->enable) {
1124         s->vga.hw_ops->gfx_update(&s->vga);
1125         return;
1126     }
1127 
1128     vmsvga_check_size(s);
1129     surface = qemu_console_surface(s->vga.con);
1130 
1131     vmsvga_fifo_run(s);
1132     vmsvga_update_rect_flush(s);
1133 
1134     /*
1135      * Is it more efficient to look at vram VGA-dirty bits or wait
1136      * for the driver to issue SVGA_CMD_UPDATE?
1137      */
1138     if (memory_region_is_logging(&s->vga.vram, DIRTY_MEMORY_VGA)) {
1139         vga_sync_dirty_bitmap(&s->vga);
1140         dirty = memory_region_get_dirty(&s->vga.vram, 0,
1141             surface_stride(surface) * surface_height(surface),
1142             DIRTY_MEMORY_VGA);
1143     }
1144     if (s->invalidated || dirty) {
1145         s->invalidated = 0;
1146         dpy_gfx_update(s->vga.con, 0, 0,
1147                    surface_width(surface), surface_height(surface));
1148     }
1149     if (dirty) {
1150         memory_region_reset_dirty(&s->vga.vram, 0,
1151             surface_stride(surface) * surface_height(surface),
1152             DIRTY_MEMORY_VGA);
1153     }
1154 }
1155 
1156 static void vmsvga_reset(DeviceState *dev)
1157 {
1158     struct pci_vmsvga_state_s *pci = VMWARE_SVGA(dev);
1159     struct vmsvga_state_s *s = &pci->chip;
1160 
1161     s->index = 0;
1162     s->enable = 0;
1163     s->config = 0;
1164     s->svgaid = SVGA_ID;
1165     s->cursor.on = 0;
1166     s->redraw_fifo_first = 0;
1167     s->redraw_fifo_last = 0;
1168     s->syncing = 0;
1169 
1170     vga_dirty_log_start(&s->vga);
1171 }
1172 
1173 static void vmsvga_invalidate_display(void *opaque)
1174 {
1175     struct vmsvga_state_s *s = opaque;
1176     if (!s->enable) {
1177         s->vga.hw_ops->invalidate(&s->vga);
1178         return;
1179     }
1180 
1181     s->invalidated = 1;
1182 }
1183 
1184 static void vmsvga_text_update(void *opaque, console_ch_t *chardata)
1185 {
1186     struct vmsvga_state_s *s = opaque;
1187 
1188     if (s->vga.hw_ops->text_update) {
1189         s->vga.hw_ops->text_update(&s->vga, chardata);
1190     }
1191 }
1192 
1193 static int vmsvga_post_load(void *opaque, int version_id)
1194 {
1195     struct vmsvga_state_s *s = opaque;
1196 
1197     s->invalidated = 1;
1198     if (s->config) {
1199         s->fifo = (uint32_t *) s->fifo_ptr;
1200     }
1201     return 0;
1202 }
1203 
1204 static const VMStateDescription vmstate_vmware_vga_internal = {
1205     .name = "vmware_vga_internal",
1206     .version_id = 0,
1207     .minimum_version_id = 0,
1208     .post_load = vmsvga_post_load,
1209     .fields = (VMStateField[]) {
1210         VMSTATE_INT32_EQUAL(new_depth, struct vmsvga_state_s),
1211         VMSTATE_INT32(enable, struct vmsvga_state_s),
1212         VMSTATE_INT32(config, struct vmsvga_state_s),
1213         VMSTATE_INT32(cursor.id, struct vmsvga_state_s),
1214         VMSTATE_INT32(cursor.x, struct vmsvga_state_s),
1215         VMSTATE_INT32(cursor.y, struct vmsvga_state_s),
1216         VMSTATE_INT32(cursor.on, struct vmsvga_state_s),
1217         VMSTATE_INT32(index, struct vmsvga_state_s),
1218         VMSTATE_VARRAY_INT32(scratch, struct vmsvga_state_s,
1219                              scratch_size, 0, vmstate_info_uint32, uint32_t),
1220         VMSTATE_INT32(new_width, struct vmsvga_state_s),
1221         VMSTATE_INT32(new_height, struct vmsvga_state_s),
1222         VMSTATE_UINT32(guest, struct vmsvga_state_s),
1223         VMSTATE_UINT32(svgaid, struct vmsvga_state_s),
1224         VMSTATE_INT32(syncing, struct vmsvga_state_s),
1225         VMSTATE_UNUSED(4), /* was fb_size */
1226         VMSTATE_END_OF_LIST()
1227     }
1228 };
1229 
1230 static const VMStateDescription vmstate_vmware_vga = {
1231     .name = "vmware_vga",
1232     .version_id = 0,
1233     .minimum_version_id = 0,
1234     .fields = (VMStateField[]) {
1235         VMSTATE_PCI_DEVICE(parent_obj, struct pci_vmsvga_state_s),
1236         VMSTATE_STRUCT(chip, struct pci_vmsvga_state_s, 0,
1237                        vmstate_vmware_vga_internal, struct vmsvga_state_s),
1238         VMSTATE_END_OF_LIST()
1239     }
1240 };
1241 
1242 static const GraphicHwOps vmsvga_ops = {
1243     .invalidate  = vmsvga_invalidate_display,
1244     .gfx_update  = vmsvga_update_display,
1245     .text_update = vmsvga_text_update,
1246 };
1247 
1248 static void vmsvga_init(DeviceState *dev, struct vmsvga_state_s *s,
1249                         MemoryRegion *address_space, MemoryRegion *io)
1250 {
1251     s->scratch_size = SVGA_SCRATCH_SIZE;
1252     s->scratch = g_malloc(s->scratch_size * 4);
1253 
1254     s->vga.con = graphic_console_init(dev, 0, &vmsvga_ops, s);
1255 
1256     s->fifo_size = SVGA_FIFO_SIZE;
1257     memory_region_init_ram(&s->fifo_ram, NULL, "vmsvga.fifo", s->fifo_size,
1258                            &error_fatal);
1259     vmstate_register_ram_global(&s->fifo_ram);
1260     s->fifo_ptr = memory_region_get_ram_ptr(&s->fifo_ram);
1261 
1262     vga_common_init(&s->vga, OBJECT(dev), true);
1263     vga_init(&s->vga, OBJECT(dev), address_space, io, true);
1264     vmstate_register(NULL, 0, &vmstate_vga_common, &s->vga);
1265     s->new_depth = 32;
1266 }
1267 
1268 static uint64_t vmsvga_io_read(void *opaque, hwaddr addr, unsigned size)
1269 {
1270     struct vmsvga_state_s *s = opaque;
1271 
1272     switch (addr) {
1273     case SVGA_IO_MUL * SVGA_INDEX_PORT: return vmsvga_index_read(s, addr);
1274     case SVGA_IO_MUL * SVGA_VALUE_PORT: return vmsvga_value_read(s, addr);
1275     case SVGA_IO_MUL * SVGA_BIOS_PORT: return vmsvga_bios_read(s, addr);
1276     default: return -1u;
1277     }
1278 }
1279 
1280 static void vmsvga_io_write(void *opaque, hwaddr addr,
1281                             uint64_t data, unsigned size)
1282 {
1283     struct vmsvga_state_s *s = opaque;
1284 
1285     switch (addr) {
1286     case SVGA_IO_MUL * SVGA_INDEX_PORT:
1287         vmsvga_index_write(s, addr, data);
1288         break;
1289     case SVGA_IO_MUL * SVGA_VALUE_PORT:
1290         vmsvga_value_write(s, addr, data);
1291         break;
1292     case SVGA_IO_MUL * SVGA_BIOS_PORT:
1293         vmsvga_bios_write(s, addr, data);
1294         break;
1295     }
1296 }
1297 
1298 static const MemoryRegionOps vmsvga_io_ops = {
1299     .read = vmsvga_io_read,
1300     .write = vmsvga_io_write,
1301     .endianness = DEVICE_LITTLE_ENDIAN,
1302     .valid = {
1303         .min_access_size = 4,
1304         .max_access_size = 4,
1305         .unaligned = true,
1306     },
1307     .impl = {
1308         .unaligned = true,
1309     },
1310 };
1311 
1312 static void pci_vmsvga_realize(PCIDevice *dev, Error **errp)
1313 {
1314     struct pci_vmsvga_state_s *s = VMWARE_SVGA(dev);
1315 
1316     dev->config[PCI_CACHE_LINE_SIZE] = 0x08;
1317     dev->config[PCI_LATENCY_TIMER] = 0x40;
1318     dev->config[PCI_INTERRUPT_LINE] = 0xff;          /* End */
1319 
1320     memory_region_init_io(&s->io_bar, NULL, &vmsvga_io_ops, &s->chip,
1321                           "vmsvga-io", 0x10);
1322     memory_region_set_flush_coalesced(&s->io_bar);
1323     pci_register_bar(dev, 0, PCI_BASE_ADDRESS_SPACE_IO, &s->io_bar);
1324 
1325     vmsvga_init(DEVICE(dev), &s->chip,
1326                 pci_address_space(dev), pci_address_space_io(dev));
1327 
1328     pci_register_bar(dev, 1, PCI_BASE_ADDRESS_MEM_PREFETCH,
1329                      &s->chip.vga.vram);
1330     pci_register_bar(dev, 2, PCI_BASE_ADDRESS_MEM_PREFETCH,
1331                      &s->chip.fifo_ram);
1332 
1333     if (!dev->rom_bar) {
1334         /* compatibility with pc-0.13 and older */
1335         vga_init_vbe(&s->chip.vga, OBJECT(dev), pci_address_space(dev));
1336     }
1337 }
1338 
1339 static Property vga_vmware_properties[] = {
1340     DEFINE_PROP_UINT32("vgamem_mb", struct pci_vmsvga_state_s,
1341                        chip.vga.vram_size_mb, 16),
1342     DEFINE_PROP_END_OF_LIST(),
1343 };
1344 
1345 static void vmsvga_class_init(ObjectClass *klass, void *data)
1346 {
1347     DeviceClass *dc = DEVICE_CLASS(klass);
1348     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
1349 
1350     k->realize = pci_vmsvga_realize;
1351     k->romfile = "vgabios-vmware.bin";
1352     k->vendor_id = PCI_VENDOR_ID_VMWARE;
1353     k->device_id = SVGA_PCI_DEVICE_ID;
1354     k->class_id = PCI_CLASS_DISPLAY_VGA;
1355     k->subsystem_vendor_id = PCI_VENDOR_ID_VMWARE;
1356     k->subsystem_id = SVGA_PCI_DEVICE_ID;
1357     dc->reset = vmsvga_reset;
1358     dc->vmsd = &vmstate_vmware_vga;
1359     dc->props = vga_vmware_properties;
1360     dc->hotpluggable = false;
1361     set_bit(DEVICE_CATEGORY_DISPLAY, dc->categories);
1362 }
1363 
1364 static const TypeInfo vmsvga_info = {
1365     .name          = TYPE_VMWARE_SVGA,
1366     .parent        = TYPE_PCI_DEVICE,
1367     .instance_size = sizeof(struct pci_vmsvga_state_s),
1368     .class_init    = vmsvga_class_init,
1369 };
1370 
1371 static void vmsvga_register_types(void)
1372 {
1373     type_register_static(&vmsvga_info);
1374 }
1375 
1376 type_init(vmsvga_register_types)
1377