xref: /openbmc/qemu/hw/display/vmware_vga.c (revision 7a5951f651ad5f158631a826070b24631e733763)
1 /*
2  * QEMU VMware-SVGA "chipset".
3  *
4  * Copyright (c) 2007 Andrzej Zaborowski  <balrog@zabor.org>
5  *
6  * Permission is hereby granted, free of charge, to any person obtaining a copy
7  * of this software and associated documentation files (the "Software"), to deal
8  * in the Software without restriction, including without limitation the rights
9  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10  * copies of the Software, and to permit persons to whom the Software is
11  * furnished to do so, subject to the following conditions:
12  *
13  * The above copyright notice and this permission notice shall be included in
14  * all copies or substantial portions of the Software.
15  *
16  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
19  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22  * THE SOFTWARE.
23  */
24 
25 #include "qemu/osdep.h"
26 #include "qemu/module.h"
27 #include "qemu/units.h"
28 #include "qapi/error.h"
29 #include "qemu/log.h"
30 #include "hw/loader.h"
31 #include "trace.h"
32 #include "hw/pci/pci_device.h"
33 #include "hw/qdev-properties.h"
34 #include "migration/vmstate.h"
35 #include "qom/object.h"
36 #include "ui/console.h"
37 
38 #undef VERBOSE
39 #define HW_RECT_ACCEL
40 #define HW_FILL_ACCEL
41 #define HW_MOUSE_ACCEL
42 
43 #include "vga_int.h"
44 
45 /* See http://vmware-svga.sf.net/ for some documentation on VMWare SVGA */
46 
47 struct vmsvga_state_s {
48     VGACommonState vga;
49 
50     int invalidated;
51     int enable;
52     int config;
53     struct {
54         int id;
55         int x;
56         int y;
57         int on;
58     } cursor;
59 
60     int index;
61     int scratch_size;
62     uint32_t *scratch;
63     int new_width;
64     int new_height;
65     int new_depth;
66     uint32_t guest;
67     uint32_t svgaid;
68     int syncing;
69 
70     MemoryRegion fifo_ram;
71     uint8_t *fifo_ptr;
72     unsigned int fifo_size;
73 
74     uint32_t *fifo;
75     uint32_t fifo_min;
76     uint32_t fifo_max;
77     uint32_t fifo_next;
78     uint32_t fifo_stop;
79 
80 #define REDRAW_FIFO_LEN  512
81     struct vmsvga_rect_s {
82         int x, y, w, h;
83     } redraw_fifo[REDRAW_FIFO_LEN];
84     int redraw_fifo_last;
85 };
86 
87 #define TYPE_VMWARE_SVGA "vmware-svga"
88 
89 DECLARE_INSTANCE_CHECKER(struct pci_vmsvga_state_s, VMWARE_SVGA,
90                          TYPE_VMWARE_SVGA)
91 
92 struct pci_vmsvga_state_s {
93     /*< private >*/
94     PCIDevice parent_obj;
95     /*< public >*/
96 
97     struct vmsvga_state_s chip;
98     MemoryRegion io_bar;
99 };
100 
101 #define SVGA_MAGIC              0x900000UL
102 #define SVGA_MAKE_ID(ver)       (SVGA_MAGIC << 8 | (ver))
103 #define SVGA_ID_0               SVGA_MAKE_ID(0)
104 #define SVGA_ID_1               SVGA_MAKE_ID(1)
105 #define SVGA_ID_2               SVGA_MAKE_ID(2)
106 
107 #define SVGA_LEGACY_BASE_PORT   0x4560
108 #define SVGA_INDEX_PORT         0x0
109 #define SVGA_VALUE_PORT         0x1
110 #define SVGA_BIOS_PORT          0x2
111 
112 #define SVGA_VERSION_2
113 
114 #ifdef SVGA_VERSION_2
115 # define SVGA_ID                SVGA_ID_2
116 # define SVGA_IO_BASE           SVGA_LEGACY_BASE_PORT
117 # define SVGA_IO_MUL            1
118 # define SVGA_FIFO_SIZE         0x10000
119 # define SVGA_PCI_DEVICE_ID     PCI_DEVICE_ID_VMWARE_SVGA2
120 #else
121 # define SVGA_ID                SVGA_ID_1
122 # define SVGA_IO_BASE           SVGA_LEGACY_BASE_PORT
123 # define SVGA_IO_MUL            4
124 # define SVGA_FIFO_SIZE         0x10000
125 # define SVGA_PCI_DEVICE_ID     PCI_DEVICE_ID_VMWARE_SVGA
126 #endif
127 
128 enum {
129     /* ID 0, 1 and 2 registers */
130     SVGA_REG_ID = 0,
131     SVGA_REG_ENABLE = 1,
132     SVGA_REG_WIDTH = 2,
133     SVGA_REG_HEIGHT = 3,
134     SVGA_REG_MAX_WIDTH = 4,
135     SVGA_REG_MAX_HEIGHT = 5,
136     SVGA_REG_DEPTH = 6,
137     SVGA_REG_BITS_PER_PIXEL = 7,        /* Current bpp in the guest */
138     SVGA_REG_PSEUDOCOLOR = 8,
139     SVGA_REG_RED_MASK = 9,
140     SVGA_REG_GREEN_MASK = 10,
141     SVGA_REG_BLUE_MASK = 11,
142     SVGA_REG_BYTES_PER_LINE = 12,
143     SVGA_REG_FB_START = 13,
144     SVGA_REG_FB_OFFSET = 14,
145     SVGA_REG_VRAM_SIZE = 15,
146     SVGA_REG_FB_SIZE = 16,
147 
148     /* ID 1 and 2 registers */
149     SVGA_REG_CAPABILITIES = 17,
150     SVGA_REG_MEM_START = 18,            /* Memory for command FIFO */
151     SVGA_REG_MEM_SIZE = 19,
152     SVGA_REG_CONFIG_DONE = 20,          /* Set when memory area configured */
153     SVGA_REG_SYNC = 21,                 /* Write to force synchronization */
154     SVGA_REG_BUSY = 22,                 /* Read to check if sync is done */
155     SVGA_REG_GUEST_ID = 23,             /* Set guest OS identifier */
156     SVGA_REG_CURSOR_ID = 24,            /* ID of cursor */
157     SVGA_REG_CURSOR_X = 25,             /* Set cursor X position */
158     SVGA_REG_CURSOR_Y = 26,             /* Set cursor Y position */
159     SVGA_REG_CURSOR_ON = 27,            /* Turn cursor on/off */
160     SVGA_REG_HOST_BITS_PER_PIXEL = 28,  /* Current bpp in the host */
161     SVGA_REG_SCRATCH_SIZE = 29,         /* Number of scratch registers */
162     SVGA_REG_MEM_REGS = 30,             /* Number of FIFO registers */
163     SVGA_REG_NUM_DISPLAYS = 31,         /* Number of guest displays */
164     SVGA_REG_PITCHLOCK = 32,            /* Fixed pitch for all modes */
165 
166     SVGA_PALETTE_BASE = 1024,           /* Base of SVGA color map */
167     SVGA_PALETTE_END  = SVGA_PALETTE_BASE + 767,
168     SVGA_SCRATCH_BASE = SVGA_PALETTE_BASE + 768,
169 };
170 
171 #define SVGA_CAP_NONE                   0
172 #define SVGA_CAP_RECT_FILL              (1 << 0)
173 #define SVGA_CAP_RECT_COPY              (1 << 1)
174 #define SVGA_CAP_RECT_PAT_FILL          (1 << 2)
175 #define SVGA_CAP_LEGACY_OFFSCREEN       (1 << 3)
176 #define SVGA_CAP_RASTER_OP              (1 << 4)
177 #define SVGA_CAP_CURSOR                 (1 << 5)
178 #define SVGA_CAP_CURSOR_BYPASS          (1 << 6)
179 #define SVGA_CAP_CURSOR_BYPASS_2        (1 << 7)
180 #define SVGA_CAP_8BIT_EMULATION         (1 << 8)
181 #define SVGA_CAP_ALPHA_CURSOR           (1 << 9)
182 #define SVGA_CAP_GLYPH                  (1 << 10)
183 #define SVGA_CAP_GLYPH_CLIPPING         (1 << 11)
184 #define SVGA_CAP_OFFSCREEN_1            (1 << 12)
185 #define SVGA_CAP_ALPHA_BLEND            (1 << 13)
186 #define SVGA_CAP_3D                     (1 << 14)
187 #define SVGA_CAP_EXTENDED_FIFO          (1 << 15)
188 #define SVGA_CAP_MULTIMON               (1 << 16)
189 #define SVGA_CAP_PITCHLOCK              (1 << 17)
190 
191 /*
192  * FIFO offsets (seen as an array of 32-bit words)
193  */
194 enum {
195     /*
196      * The original defined FIFO offsets
197      */
198     SVGA_FIFO_MIN = 0,
199     SVGA_FIFO_MAX,      /* The distance from MIN to MAX must be at least 10K */
200     SVGA_FIFO_NEXT,
201     SVGA_FIFO_STOP,
202 
203     /*
204      * Additional offsets added as of SVGA_CAP_EXTENDED_FIFO
205      */
206     SVGA_FIFO_CAPABILITIES = 4,
207     SVGA_FIFO_FLAGS,
208     SVGA_FIFO_FENCE,
209     SVGA_FIFO_3D_HWVERSION,
210     SVGA_FIFO_PITCHLOCK,
211 };
212 
213 #define SVGA_FIFO_CAP_NONE              0
214 #define SVGA_FIFO_CAP_FENCE             (1 << 0)
215 #define SVGA_FIFO_CAP_ACCELFRONT        (1 << 1)
216 #define SVGA_FIFO_CAP_PITCHLOCK         (1 << 2)
217 
218 #define SVGA_FIFO_FLAG_NONE             0
219 #define SVGA_FIFO_FLAG_ACCELFRONT       (1 << 0)
220 
221 /* These values can probably be changed arbitrarily.  */
222 #define SVGA_SCRATCH_SIZE               0x8000
223 #define SVGA_MAX_WIDTH                  2368
224 #define SVGA_MAX_HEIGHT                 1770
225 
226 #ifdef VERBOSE
227 # define GUEST_OS_BASE          0x5001
228 static const char *vmsvga_guest_id[] = {
229     [0x00] = "Dos",
230     [0x01] = "Windows 3.1",
231     [0x02] = "Windows 95",
232     [0x03] = "Windows 98",
233     [0x04] = "Windows ME",
234     [0x05] = "Windows NT",
235     [0x06] = "Windows 2000",
236     [0x07] = "Linux",
237     [0x08] = "OS/2",
238     [0x09] = "an unknown OS",
239     [0x0a] = "BSD",
240     [0x0b] = "Whistler",
241     [0x0c] = "an unknown OS",
242     [0x0d] = "an unknown OS",
243     [0x0e] = "an unknown OS",
244     [0x0f] = "an unknown OS",
245     [0x10] = "an unknown OS",
246     [0x11] = "an unknown OS",
247     [0x12] = "an unknown OS",
248     [0x13] = "an unknown OS",
249     [0x14] = "an unknown OS",
250     [0x15] = "Windows 2003",
251 };
252 #endif
253 
254 enum {
255     SVGA_CMD_INVALID_CMD = 0,
256     SVGA_CMD_UPDATE = 1,
257     SVGA_CMD_RECT_FILL = 2,
258     SVGA_CMD_RECT_COPY = 3,
259     SVGA_CMD_DEFINE_BITMAP = 4,
260     SVGA_CMD_DEFINE_BITMAP_SCANLINE = 5,
261     SVGA_CMD_DEFINE_PIXMAP = 6,
262     SVGA_CMD_DEFINE_PIXMAP_SCANLINE = 7,
263     SVGA_CMD_RECT_BITMAP_FILL = 8,
264     SVGA_CMD_RECT_PIXMAP_FILL = 9,
265     SVGA_CMD_RECT_BITMAP_COPY = 10,
266     SVGA_CMD_RECT_PIXMAP_COPY = 11,
267     SVGA_CMD_FREE_OBJECT = 12,
268     SVGA_CMD_RECT_ROP_FILL = 13,
269     SVGA_CMD_RECT_ROP_COPY = 14,
270     SVGA_CMD_RECT_ROP_BITMAP_FILL = 15,
271     SVGA_CMD_RECT_ROP_PIXMAP_FILL = 16,
272     SVGA_CMD_RECT_ROP_BITMAP_COPY = 17,
273     SVGA_CMD_RECT_ROP_PIXMAP_COPY = 18,
274     SVGA_CMD_DEFINE_CURSOR = 19,
275     SVGA_CMD_DISPLAY_CURSOR = 20,
276     SVGA_CMD_MOVE_CURSOR = 21,
277     SVGA_CMD_DEFINE_ALPHA_CURSOR = 22,
278     SVGA_CMD_DRAW_GLYPH = 23,
279     SVGA_CMD_DRAW_GLYPH_CLIPPED = 24,
280     SVGA_CMD_UPDATE_VERBOSE = 25,
281     SVGA_CMD_SURFACE_FILL = 26,
282     SVGA_CMD_SURFACE_COPY = 27,
283     SVGA_CMD_SURFACE_ALPHA_BLEND = 28,
284     SVGA_CMD_FRONT_ROP_FILL = 29,
285     SVGA_CMD_FENCE = 30,
286 };
287 
288 /* Legal values for the SVGA_REG_CURSOR_ON register in cursor bypass mode */
289 enum {
290     SVGA_CURSOR_ON_HIDE = 0,
291     SVGA_CURSOR_ON_SHOW = 1,
292     SVGA_CURSOR_ON_REMOVE_FROM_FB = 2,
293     SVGA_CURSOR_ON_RESTORE_TO_FB = 3,
294 };
295 
296 static inline bool vmsvga_verify_rect(DisplaySurface *surface,
297                                       const char *name,
298                                       int x, int y, int w, int h)
299 {
300     if (x < 0) {
301         trace_vmware_verify_rect_less_than_zero(name, "x", x);
302         return false;
303     }
304     if (x > SVGA_MAX_WIDTH) {
305         trace_vmware_verify_rect_greater_than_bound(name, "x", SVGA_MAX_WIDTH,
306                                                     x);
307         return false;
308     }
309     if (w < 0) {
310         trace_vmware_verify_rect_less_than_zero(name, "w", w);
311         return false;
312     }
313     if (w > SVGA_MAX_WIDTH) {
314         trace_vmware_verify_rect_greater_than_bound(name, "w", SVGA_MAX_WIDTH,
315                                                     w);
316         return false;
317     }
318     if (x + w > surface_width(surface)) {
319         trace_vmware_verify_rect_surface_bound_exceeded(name, "width",
320                                                         surface_width(surface),
321                                                         "x", x, "w", w);
322         return false;
323     }
324 
325     if (y < 0) {
326         trace_vmware_verify_rect_less_than_zero(name, "y", y);
327         return false;
328     }
329     if (y > SVGA_MAX_HEIGHT) {
330         trace_vmware_verify_rect_greater_than_bound(name, "y", SVGA_MAX_HEIGHT,
331                                                     y);
332         return false;
333     }
334     if (h < 0) {
335         trace_vmware_verify_rect_less_than_zero(name, "h", h);
336         return false;
337     }
338     if (h > SVGA_MAX_HEIGHT) {
339         trace_vmware_verify_rect_greater_than_bound(name, "y", SVGA_MAX_HEIGHT,
340                                                     y);
341         return false;
342     }
343     if (y + h > surface_height(surface)) {
344         trace_vmware_verify_rect_surface_bound_exceeded(name, "height",
345                                                         surface_height(surface),
346                                                         "y", y, "h", h);
347         return false;
348     }
349 
350     return true;
351 }
352 
353 static inline void vmsvga_update_rect(struct vmsvga_state_s *s,
354                                       int x, int y, int w, int h)
355 {
356     DisplaySurface *surface = qemu_console_surface(s->vga.con);
357     int line;
358     int bypl;
359     int width;
360     int start;
361     uint8_t *src;
362     uint8_t *dst;
363 
364     if (!vmsvga_verify_rect(surface, __func__, x, y, w, h)) {
365         /* go for a fullscreen update as fallback */
366         x = 0;
367         y = 0;
368         w = surface_width(surface);
369         h = surface_height(surface);
370     }
371 
372     bypl = surface_stride(surface);
373     width = surface_bytes_per_pixel(surface) * w;
374     start = surface_bytes_per_pixel(surface) * x + bypl * y;
375     src = s->vga.vram_ptr + start;
376     dst = surface_data(surface) + start;
377 
378     for (line = h; line > 0; line--, src += bypl, dst += bypl) {
379         memcpy(dst, src, width);
380     }
381     dpy_gfx_update(s->vga.con, x, y, w, h);
382 }
383 
384 static inline void vmsvga_update_rect_flush(struct vmsvga_state_s *s)
385 {
386     struct vmsvga_rect_s *rect;
387 
388     if (s->invalidated) {
389         s->redraw_fifo_last = 0;
390         return;
391     }
392     /* Overlapping region updates can be optimised out here - if someone
393      * knows a smart algorithm to do that, please share.  */
394     for (int i = 0; i < s->redraw_fifo_last; i++) {
395         rect = &s->redraw_fifo[i];
396         vmsvga_update_rect(s, rect->x, rect->y, rect->w, rect->h);
397     }
398 
399     s->redraw_fifo_last = 0;
400 }
401 
402 static inline void vmsvga_update_rect_delayed(struct vmsvga_state_s *s,
403                 int x, int y, int w, int h)
404 {
405 
406     if (s->redraw_fifo_last >= REDRAW_FIFO_LEN) {
407         trace_vmware_update_rect_delayed_flush();
408         vmsvga_update_rect_flush(s);
409     }
410 
411     struct vmsvga_rect_s *rect = &s->redraw_fifo[s->redraw_fifo_last++];
412 
413     rect->x = x;
414     rect->y = y;
415     rect->w = w;
416     rect->h = h;
417 }
418 
419 #ifdef HW_RECT_ACCEL
420 static inline int vmsvga_copy_rect(struct vmsvga_state_s *s,
421                 int x0, int y0, int x1, int y1, int w, int h)
422 {
423     DisplaySurface *surface = qemu_console_surface(s->vga.con);
424     uint8_t *vram = s->vga.vram_ptr;
425     int bypl = surface_stride(surface);
426     int bypp = surface_bytes_per_pixel(surface);
427     int width = bypp * w;
428     int line = h;
429     uint8_t *ptr[2];
430 
431     if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/src", x0, y0, w, h)) {
432         return -1;
433     }
434     if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/dst", x1, y1, w, h)) {
435         return -1;
436     }
437 
438     if (y1 > y0) {
439         ptr[0] = vram + bypp * x0 + bypl * (y0 + h - 1);
440         ptr[1] = vram + bypp * x1 + bypl * (y1 + h - 1);
441         for (; line > 0; line --, ptr[0] -= bypl, ptr[1] -= bypl) {
442             memmove(ptr[1], ptr[0], width);
443         }
444     } else {
445         ptr[0] = vram + bypp * x0 + bypl * y0;
446         ptr[1] = vram + bypp * x1 + bypl * y1;
447         for (; line > 0; line --, ptr[0] += bypl, ptr[1] += bypl) {
448             memmove(ptr[1], ptr[0], width);
449         }
450     }
451 
452     vmsvga_update_rect_delayed(s, x1, y1, w, h);
453     return 0;
454 }
455 #endif
456 
457 #ifdef HW_FILL_ACCEL
458 static inline int vmsvga_fill_rect(struct vmsvga_state_s *s,
459                 uint32_t c, int x, int y, int w, int h)
460 {
461     DisplaySurface *surface = qemu_console_surface(s->vga.con);
462     int bypl = surface_stride(surface);
463     int width = surface_bytes_per_pixel(surface) * w;
464     int line = h;
465     int column;
466     uint8_t *fst;
467     uint8_t *dst;
468     uint8_t *src;
469     uint8_t col[4];
470 
471     if (!vmsvga_verify_rect(surface, __func__, x, y, w, h)) {
472         return -1;
473     }
474 
475     col[0] = c;
476     col[1] = c >> 8;
477     col[2] = c >> 16;
478     col[3] = c >> 24;
479 
480     fst = s->vga.vram_ptr + surface_bytes_per_pixel(surface) * x + bypl * y;
481 
482     if (line--) {
483         dst = fst;
484         src = col;
485         for (column = width; column > 0; column--) {
486             *(dst++) = *(src++);
487             if (src - col == surface_bytes_per_pixel(surface)) {
488                 src = col;
489             }
490         }
491         dst = fst;
492         for (; line > 0; line--) {
493             dst += bypl;
494             memcpy(dst, fst, width);
495         }
496     }
497 
498     vmsvga_update_rect_delayed(s, x, y, w, h);
499     return 0;
500 }
501 #endif
502 
503 struct vmsvga_cursor_definition_s {
504     uint32_t width;
505     uint32_t height;
506     int id;
507     uint32_t bpp;
508     int hot_x;
509     int hot_y;
510     uint32_t mask[1024];
511     uint32_t image[4096];
512 };
513 
514 #define SVGA_BITMAP_SIZE(w, h)          ((((w) + 31) >> 5) * (h))
515 #define SVGA_PIXMAP_SIZE(w, h, bpp)     (((((w) * (bpp)) + 31) >> 5) * (h))
516 
517 #ifdef HW_MOUSE_ACCEL
518 static inline void vmsvga_cursor_define(struct vmsvga_state_s *s,
519                 struct vmsvga_cursor_definition_s *c)
520 {
521     QEMUCursor *qc;
522     int i, pixels;
523 
524     qc = cursor_alloc(c->width, c->height);
525     assert(qc != NULL);
526 
527     qc->hot_x = c->hot_x;
528     qc->hot_y = c->hot_y;
529     switch (c->bpp) {
530     case 1:
531         cursor_set_mono(qc, 0xffffff, 0x000000, (void *)c->image,
532                         1, (void *)c->mask);
533 #ifdef DEBUG
534         cursor_print_ascii_art(qc, "vmware/mono");
535 #endif
536         break;
537     case 32:
538         /* fill alpha channel from mask, set color to zero */
539         cursor_set_mono(qc, 0x000000, 0x000000, (void *)c->mask,
540                         1, (void *)c->mask);
541         /* add in rgb values */
542         pixels = c->width * c->height;
543         for (i = 0; i < pixels; i++) {
544             qc->data[i] |= c->image[i] & 0xffffff;
545         }
546 #ifdef DEBUG
547         cursor_print_ascii_art(qc, "vmware/32bit");
548 #endif
549         break;
550     default:
551         fprintf(stderr, "%s: unhandled bpp %d, using fallback cursor\n",
552                 __func__, c->bpp);
553         cursor_put(qc);
554         qc = cursor_builtin_left_ptr();
555     }
556 
557     dpy_cursor_define(s->vga.con, qc);
558     cursor_put(qc);
559 }
560 #endif
561 
562 static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
563 {
564     int num;
565 
566     if (!s->config || !s->enable) {
567         return 0;
568     }
569 
570     s->fifo_min  = le32_to_cpu(s->fifo[SVGA_FIFO_MIN]);
571     s->fifo_max  = le32_to_cpu(s->fifo[SVGA_FIFO_MAX]);
572     s->fifo_next = le32_to_cpu(s->fifo[SVGA_FIFO_NEXT]);
573     s->fifo_stop = le32_to_cpu(s->fifo[SVGA_FIFO_STOP]);
574 
575     /* Check range and alignment.  */
576     if ((s->fifo_min | s->fifo_max | s->fifo_next | s->fifo_stop) & 3) {
577         return 0;
578     }
579     if (s->fifo_min < sizeof(uint32_t) * 4) {
580         return 0;
581     }
582     if (s->fifo_max > SVGA_FIFO_SIZE ||
583         s->fifo_min >= SVGA_FIFO_SIZE ||
584         s->fifo_stop >= SVGA_FIFO_SIZE ||
585         s->fifo_next >= SVGA_FIFO_SIZE) {
586         return 0;
587     }
588     if (s->fifo_max < s->fifo_min + 10 * KiB) {
589         return 0;
590     }
591 
592     num = s->fifo_next - s->fifo_stop;
593     if (num < 0) {
594         num += s->fifo_max - s->fifo_min;
595     }
596     return num >> 2;
597 }
598 
599 static inline uint32_t vmsvga_fifo_read_raw(struct vmsvga_state_s *s)
600 {
601     uint32_t cmd = s->fifo[s->fifo_stop >> 2];
602 
603     s->fifo_stop += 4;
604     if (s->fifo_stop >= s->fifo_max) {
605         s->fifo_stop = s->fifo_min;
606     }
607     s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop);
608     return cmd;
609 }
610 
611 static inline uint32_t vmsvga_fifo_read(struct vmsvga_state_s *s)
612 {
613     return le32_to_cpu(vmsvga_fifo_read_raw(s));
614 }
615 
616 static void vmsvga_fifo_run(struct vmsvga_state_s *s)
617 {
618     uint32_t cmd, colour;
619     int args, len, maxloop = 1024;
620     int x, y, dx, dy, width, height;
621     struct vmsvga_cursor_definition_s cursor;
622     uint32_t cmd_start;
623 
624     len = vmsvga_fifo_length(s);
625     while (len > 0 && --maxloop > 0) {
626         /* May need to go back to the start of the command if incomplete */
627         cmd_start = s->fifo_stop;
628 
629         switch (cmd = vmsvga_fifo_read(s)) {
630         case SVGA_CMD_UPDATE:
631         case SVGA_CMD_UPDATE_VERBOSE:
632             len -= 5;
633             if (len < 0) {
634                 goto rewind;
635             }
636 
637             x = vmsvga_fifo_read(s);
638             y = vmsvga_fifo_read(s);
639             width = vmsvga_fifo_read(s);
640             height = vmsvga_fifo_read(s);
641             vmsvga_update_rect_delayed(s, x, y, width, height);
642             break;
643 
644         case SVGA_CMD_RECT_FILL:
645             len -= 6;
646             if (len < 0) {
647                 goto rewind;
648             }
649 
650             colour = vmsvga_fifo_read(s);
651             x = vmsvga_fifo_read(s);
652             y = vmsvga_fifo_read(s);
653             width = vmsvga_fifo_read(s);
654             height = vmsvga_fifo_read(s);
655 #ifdef HW_FILL_ACCEL
656             if (vmsvga_fill_rect(s, colour, x, y, width, height) == 0) {
657                 break;
658             }
659 #endif
660             args = 0;
661             goto badcmd;
662 
663         case SVGA_CMD_RECT_COPY:
664             len -= 7;
665             if (len < 0) {
666                 goto rewind;
667             }
668 
669             x = vmsvga_fifo_read(s);
670             y = vmsvga_fifo_read(s);
671             dx = vmsvga_fifo_read(s);
672             dy = vmsvga_fifo_read(s);
673             width = vmsvga_fifo_read(s);
674             height = vmsvga_fifo_read(s);
675 #ifdef HW_RECT_ACCEL
676             if (vmsvga_copy_rect(s, x, y, dx, dy, width, height) == 0) {
677                 break;
678             }
679 #endif
680             args = 0;
681             goto badcmd;
682 
683         case SVGA_CMD_DEFINE_CURSOR:
684             len -= 8;
685             if (len < 0) {
686                 goto rewind;
687             }
688 
689             cursor.id = vmsvga_fifo_read(s);
690             cursor.hot_x = vmsvga_fifo_read(s);
691             cursor.hot_y = vmsvga_fifo_read(s);
692             cursor.width = x = vmsvga_fifo_read(s);
693             cursor.height = y = vmsvga_fifo_read(s);
694             vmsvga_fifo_read(s);
695             cursor.bpp = vmsvga_fifo_read(s);
696 
697             args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
698             if (cursor.width > 256
699                 || cursor.height > 256
700                 || cursor.bpp > 32
701                 || SVGA_BITMAP_SIZE(x, y) > ARRAY_SIZE(cursor.mask)
702                 || SVGA_PIXMAP_SIZE(x, y, cursor.bpp)
703                     > ARRAY_SIZE(cursor.image)) {
704                     goto badcmd;
705             }
706 
707             len -= args;
708             if (len < 0) {
709                 goto rewind;
710             }
711 
712             for (args = 0; args < SVGA_BITMAP_SIZE(x, y); args++) {
713                 cursor.mask[args] = vmsvga_fifo_read_raw(s);
714             }
715             for (args = 0; args < SVGA_PIXMAP_SIZE(x, y, cursor.bpp); args++) {
716                 cursor.image[args] = vmsvga_fifo_read_raw(s);
717             }
718 #ifdef HW_MOUSE_ACCEL
719             vmsvga_cursor_define(s, &cursor);
720             break;
721 #else
722             args = 0;
723             goto badcmd;
724 #endif
725 
726         /*
727          * Other commands that we at least know the number of arguments
728          * for so we can avoid FIFO desync if driver uses them illegally.
729          */
730         case SVGA_CMD_DEFINE_ALPHA_CURSOR:
731             len -= 6;
732             if (len < 0) {
733                 goto rewind;
734             }
735             vmsvga_fifo_read(s);
736             vmsvga_fifo_read(s);
737             vmsvga_fifo_read(s);
738             x = vmsvga_fifo_read(s);
739             y = vmsvga_fifo_read(s);
740             args = x * y;
741             goto badcmd;
742         case SVGA_CMD_RECT_ROP_FILL:
743             args = 6;
744             goto badcmd;
745         case SVGA_CMD_RECT_ROP_COPY:
746             args = 7;
747             goto badcmd;
748         case SVGA_CMD_DRAW_GLYPH_CLIPPED:
749             len -= 4;
750             if (len < 0) {
751                 goto rewind;
752             }
753             vmsvga_fifo_read(s);
754             vmsvga_fifo_read(s);
755             args = 7 + (vmsvga_fifo_read(s) >> 2);
756             goto badcmd;
757         case SVGA_CMD_SURFACE_ALPHA_BLEND:
758             args = 12;
759             goto badcmd;
760 
761         /*
762          * Other commands that are not listed as depending on any
763          * CAPABILITIES bits, but are not described in the README either.
764          */
765         case SVGA_CMD_SURFACE_FILL:
766         case SVGA_CMD_SURFACE_COPY:
767         case SVGA_CMD_FRONT_ROP_FILL:
768         case SVGA_CMD_FENCE:
769         case SVGA_CMD_INVALID_CMD:
770             break; /* Nop */
771 
772         default:
773             args = 0;
774         badcmd:
775             len -= args;
776             if (len < 0) {
777                 goto rewind;
778             }
779             while (args--) {
780                 vmsvga_fifo_read(s);
781             }
782             printf("%s: Unknown command 0x%02x in SVGA command FIFO\n",
783                    __func__, cmd);
784             break;
785 
786         rewind:
787             s->fifo_stop = cmd_start;
788             s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop);
789             break;
790         }
791     }
792 
793     s->syncing = 0;
794 }
795 
796 static uint32_t vmsvga_index_read(void *opaque, uint32_t address)
797 {
798     struct vmsvga_state_s *s = opaque;
799 
800     return s->index;
801 }
802 
803 static void vmsvga_index_write(void *opaque, uint32_t address, uint32_t index)
804 {
805     struct vmsvga_state_s *s = opaque;
806 
807     s->index = index;
808 }
809 
810 static uint32_t vmsvga_value_read(void *opaque, uint32_t address)
811 {
812     uint32_t caps;
813     struct vmsvga_state_s *s = opaque;
814     DisplaySurface *surface = qemu_console_surface(s->vga.con);
815     PixelFormat pf;
816     uint32_t ret;
817 
818     switch (s->index) {
819     case SVGA_REG_ID:
820         ret = s->svgaid;
821         break;
822 
823     case SVGA_REG_ENABLE:
824         ret = s->enable;
825         break;
826 
827     case SVGA_REG_WIDTH:
828         ret = s->new_width ? s->new_width : surface_width(surface);
829         break;
830 
831     case SVGA_REG_HEIGHT:
832         ret = s->new_height ? s->new_height : surface_height(surface);
833         break;
834 
835     case SVGA_REG_MAX_WIDTH:
836         ret = SVGA_MAX_WIDTH;
837         break;
838 
839     case SVGA_REG_MAX_HEIGHT:
840         ret = SVGA_MAX_HEIGHT;
841         break;
842 
843     case SVGA_REG_DEPTH:
844         ret = (s->new_depth == 32) ? 24 : s->new_depth;
845         break;
846 
847     case SVGA_REG_BITS_PER_PIXEL:
848     case SVGA_REG_HOST_BITS_PER_PIXEL:
849         ret = s->new_depth;
850         break;
851 
852     case SVGA_REG_PSEUDOCOLOR:
853         ret = 0x0;
854         break;
855 
856     case SVGA_REG_RED_MASK:
857         pf = qemu_default_pixelformat(s->new_depth);
858         ret = pf.rmask;
859         break;
860 
861     case SVGA_REG_GREEN_MASK:
862         pf = qemu_default_pixelformat(s->new_depth);
863         ret = pf.gmask;
864         break;
865 
866     case SVGA_REG_BLUE_MASK:
867         pf = qemu_default_pixelformat(s->new_depth);
868         ret = pf.bmask;
869         break;
870 
871     case SVGA_REG_BYTES_PER_LINE:
872         if (s->new_width) {
873             ret = (s->new_depth * s->new_width) / 8;
874         } else {
875             ret = surface_stride(surface);
876         }
877         break;
878 
879     case SVGA_REG_FB_START: {
880         struct pci_vmsvga_state_s *pci_vmsvga
881             = container_of(s, struct pci_vmsvga_state_s, chip);
882         ret = pci_get_bar_addr(PCI_DEVICE(pci_vmsvga), 1);
883         break;
884     }
885 
886     case SVGA_REG_FB_OFFSET:
887         ret = 0x0;
888         break;
889 
890     case SVGA_REG_VRAM_SIZE:
891         ret = s->vga.vram_size; /* No physical VRAM besides the framebuffer */
892         break;
893 
894     case SVGA_REG_FB_SIZE:
895         ret = s->vga.vram_size;
896         break;
897 
898     case SVGA_REG_CAPABILITIES:
899         caps = SVGA_CAP_NONE;
900 #ifdef HW_RECT_ACCEL
901         caps |= SVGA_CAP_RECT_COPY;
902 #endif
903 #ifdef HW_FILL_ACCEL
904         caps |= SVGA_CAP_RECT_FILL;
905 #endif
906 #ifdef HW_MOUSE_ACCEL
907         if (dpy_cursor_define_supported(s->vga.con)) {
908             caps |= SVGA_CAP_CURSOR | SVGA_CAP_CURSOR_BYPASS_2 |
909                     SVGA_CAP_CURSOR_BYPASS;
910         }
911 #endif
912         ret = caps;
913         break;
914 
915     case SVGA_REG_MEM_START: {
916         struct pci_vmsvga_state_s *pci_vmsvga
917             = container_of(s, struct pci_vmsvga_state_s, chip);
918         ret = pci_get_bar_addr(PCI_DEVICE(pci_vmsvga), 2);
919         break;
920     }
921 
922     case SVGA_REG_MEM_SIZE:
923         ret = s->fifo_size;
924         break;
925 
926     case SVGA_REG_CONFIG_DONE:
927         ret = s->config;
928         break;
929 
930     case SVGA_REG_SYNC:
931     case SVGA_REG_BUSY:
932         ret = s->syncing;
933         break;
934 
935     case SVGA_REG_GUEST_ID:
936         ret = s->guest;
937         break;
938 
939     case SVGA_REG_CURSOR_ID:
940         ret = s->cursor.id;
941         break;
942 
943     case SVGA_REG_CURSOR_X:
944         ret = s->cursor.x;
945         break;
946 
947     case SVGA_REG_CURSOR_Y:
948         ret = s->cursor.y;
949         break;
950 
951     case SVGA_REG_CURSOR_ON:
952         ret = s->cursor.on;
953         break;
954 
955     case SVGA_REG_SCRATCH_SIZE:
956         ret = s->scratch_size;
957         break;
958 
959     case SVGA_REG_MEM_REGS:
960     case SVGA_REG_NUM_DISPLAYS:
961     case SVGA_REG_PITCHLOCK:
962     case SVGA_PALETTE_BASE ... SVGA_PALETTE_END:
963         ret = 0;
964         break;
965 
966     default:
967         if (s->index >= SVGA_SCRATCH_BASE &&
968             s->index < SVGA_SCRATCH_BASE + s->scratch_size) {
969             ret = s->scratch[s->index - SVGA_SCRATCH_BASE];
970             break;
971         }
972         qemu_log_mask(LOG_GUEST_ERROR,
973                       "%s: Bad register %02x\n", __func__, s->index);
974         ret = 0;
975         break;
976     }
977 
978     if (s->index >= SVGA_SCRATCH_BASE) {
979         trace_vmware_scratch_read(s->index, ret);
980     } else if (s->index >= SVGA_PALETTE_BASE) {
981         trace_vmware_palette_read(s->index, ret);
982     } else {
983         trace_vmware_value_read(s->index, ret);
984     }
985     return ret;
986 }
987 
988 static void vmsvga_value_write(void *opaque, uint32_t address, uint32_t value)
989 {
990     struct vmsvga_state_s *s = opaque;
991 
992     if (s->index >= SVGA_SCRATCH_BASE) {
993         trace_vmware_scratch_write(s->index, value);
994     } else if (s->index >= SVGA_PALETTE_BASE) {
995         trace_vmware_palette_write(s->index, value);
996     } else {
997         trace_vmware_value_write(s->index, value);
998     }
999     switch (s->index) {
1000     case SVGA_REG_ID:
1001         if (value == SVGA_ID_2 || value == SVGA_ID_1 || value == SVGA_ID_0) {
1002             s->svgaid = value;
1003         }
1004         break;
1005 
1006     case SVGA_REG_ENABLE:
1007         s->enable = !!value;
1008         s->invalidated = 1;
1009         s->vga.hw_ops->invalidate(&s->vga);
1010         if (s->enable && s->config) {
1011             vga_dirty_log_stop(&s->vga);
1012         } else {
1013             vga_dirty_log_start(&s->vga);
1014         }
1015         break;
1016 
1017     case SVGA_REG_WIDTH:
1018         if (value <= SVGA_MAX_WIDTH) {
1019             s->new_width = value;
1020             s->invalidated = 1;
1021         } else {
1022             qemu_log_mask(LOG_GUEST_ERROR,
1023                           "%s: Bad width: %i\n", __func__, value);
1024         }
1025         break;
1026 
1027     case SVGA_REG_HEIGHT:
1028         if (value <= SVGA_MAX_HEIGHT) {
1029             s->new_height = value;
1030             s->invalidated = 1;
1031         } else {
1032             qemu_log_mask(LOG_GUEST_ERROR,
1033                           "%s: Bad height: %i\n", __func__, value);
1034         }
1035         break;
1036 
1037     case SVGA_REG_BITS_PER_PIXEL:
1038         if (value != 32) {
1039             qemu_log_mask(LOG_GUEST_ERROR,
1040                           "%s: Bad bits per pixel: %i bits\n", __func__, value);
1041             s->config = 0;
1042             s->invalidated = 1;
1043         }
1044         break;
1045 
1046     case SVGA_REG_CONFIG_DONE:
1047         if (value) {
1048             s->fifo = (uint32_t *) s->fifo_ptr;
1049             vga_dirty_log_stop(&s->vga);
1050         }
1051         s->config = !!value;
1052         break;
1053 
1054     case SVGA_REG_SYNC:
1055         s->syncing = 1;
1056         vmsvga_fifo_run(s); /* Or should we just wait for update_display? */
1057         break;
1058 
1059     case SVGA_REG_GUEST_ID:
1060         s->guest = value;
1061 #ifdef VERBOSE
1062         if (value >= GUEST_OS_BASE && value < GUEST_OS_BASE +
1063             ARRAY_SIZE(vmsvga_guest_id)) {
1064             printf("%s: guest runs %s.\n", __func__,
1065                    vmsvga_guest_id[value - GUEST_OS_BASE]);
1066         }
1067 #endif
1068         break;
1069 
1070     case SVGA_REG_CURSOR_ID:
1071         s->cursor.id = value;
1072         break;
1073 
1074     case SVGA_REG_CURSOR_X:
1075         s->cursor.x = value;
1076         break;
1077 
1078     case SVGA_REG_CURSOR_Y:
1079         s->cursor.y = value;
1080         break;
1081 
1082     case SVGA_REG_CURSOR_ON:
1083         s->cursor.on |= (value == SVGA_CURSOR_ON_SHOW);
1084         s->cursor.on &= (value != SVGA_CURSOR_ON_HIDE);
1085 #ifdef HW_MOUSE_ACCEL
1086         if (value <= SVGA_CURSOR_ON_SHOW) {
1087             dpy_mouse_set(s->vga.con, s->cursor.x, s->cursor.y, s->cursor.on);
1088         }
1089 #endif
1090         break;
1091 
1092     case SVGA_REG_DEPTH:
1093     case SVGA_REG_MEM_REGS:
1094     case SVGA_REG_NUM_DISPLAYS:
1095     case SVGA_REG_PITCHLOCK:
1096     case SVGA_PALETTE_BASE ... SVGA_PALETTE_END:
1097         break;
1098 
1099     default:
1100         if (s->index >= SVGA_SCRATCH_BASE &&
1101                 s->index < SVGA_SCRATCH_BASE + s->scratch_size) {
1102             s->scratch[s->index - SVGA_SCRATCH_BASE] = value;
1103             break;
1104         }
1105         qemu_log_mask(LOG_GUEST_ERROR,
1106                       "%s: Bad register %02x\n", __func__, s->index);
1107     }
1108 }
1109 
1110 static uint32_t vmsvga_bios_read(void *opaque, uint32_t address)
1111 {
1112     printf("%s: what are we supposed to return?\n", __func__);
1113     return 0xcafe;
1114 }
1115 
1116 static void vmsvga_bios_write(void *opaque, uint32_t address, uint32_t data)
1117 {
1118     printf("%s: what are we supposed to do with (%08x)?\n", __func__, data);
1119 }
1120 
1121 static inline void vmsvga_check_size(struct vmsvga_state_s *s)
1122 {
1123     DisplaySurface *surface = qemu_console_surface(s->vga.con);
1124 
1125     if (s->new_width != surface_width(surface) ||
1126         s->new_height != surface_height(surface) ||
1127         s->new_depth != surface_bits_per_pixel(surface)) {
1128         int stride = (s->new_depth * s->new_width) / 8;
1129         pixman_format_code_t format =
1130             qemu_default_pixman_format(s->new_depth, true);
1131         trace_vmware_setmode(s->new_width, s->new_height, s->new_depth);
1132         surface = qemu_create_displaysurface_from(s->new_width, s->new_height,
1133                                                   format, stride,
1134                                                   s->vga.vram_ptr);
1135         dpy_gfx_replace_surface(s->vga.con, surface);
1136         s->invalidated = 1;
1137     }
1138 }
1139 
1140 static void vmsvga_update_display(void *opaque)
1141 {
1142     struct vmsvga_state_s *s = opaque;
1143 
1144     if (!s->enable || !s->config) {
1145         /* in standard vga mode */
1146         s->vga.hw_ops->gfx_update(&s->vga);
1147         return;
1148     }
1149 
1150     vmsvga_check_size(s);
1151 
1152     vmsvga_fifo_run(s);
1153     vmsvga_update_rect_flush(s);
1154 
1155     if (s->invalidated) {
1156         s->invalidated = 0;
1157         dpy_gfx_update_full(s->vga.con);
1158     }
1159 }
1160 
1161 static void vmsvga_reset(DeviceState *dev)
1162 {
1163     struct pci_vmsvga_state_s *pci = VMWARE_SVGA(dev);
1164     struct vmsvga_state_s *s = &pci->chip;
1165 
1166     s->index = 0;
1167     s->enable = 0;
1168     s->config = 0;
1169     s->svgaid = SVGA_ID;
1170     s->cursor.on = 0;
1171     s->redraw_fifo_last = 0;
1172     s->syncing = 0;
1173 
1174     vga_dirty_log_start(&s->vga);
1175 }
1176 
1177 static void vmsvga_invalidate_display(void *opaque)
1178 {
1179     struct vmsvga_state_s *s = opaque;
1180     if (!s->enable) {
1181         s->vga.hw_ops->invalidate(&s->vga);
1182         return;
1183     }
1184 
1185     s->invalidated = 1;
1186 }
1187 
1188 static void vmsvga_text_update(void *opaque, console_ch_t *chardata)
1189 {
1190     struct vmsvga_state_s *s = opaque;
1191 
1192     if (s->vga.hw_ops->text_update) {
1193         s->vga.hw_ops->text_update(&s->vga, chardata);
1194     }
1195 }
1196 
1197 static int vmsvga_post_load(void *opaque, int version_id)
1198 {
1199     struct vmsvga_state_s *s = opaque;
1200 
1201     s->invalidated = 1;
1202     if (s->config) {
1203         s->fifo = (uint32_t *) s->fifo_ptr;
1204     }
1205     return 0;
1206 }
1207 
1208 static const VMStateDescription vmstate_vmware_vga_internal = {
1209     .name = "vmware_vga_internal",
1210     .version_id = 0,
1211     .minimum_version_id = 0,
1212     .post_load = vmsvga_post_load,
1213     .fields = (VMStateField[]) {
1214         VMSTATE_INT32_EQUAL(new_depth, struct vmsvga_state_s, NULL),
1215         VMSTATE_INT32(enable, struct vmsvga_state_s),
1216         VMSTATE_INT32(config, struct vmsvga_state_s),
1217         VMSTATE_INT32(cursor.id, struct vmsvga_state_s),
1218         VMSTATE_INT32(cursor.x, struct vmsvga_state_s),
1219         VMSTATE_INT32(cursor.y, struct vmsvga_state_s),
1220         VMSTATE_INT32(cursor.on, struct vmsvga_state_s),
1221         VMSTATE_INT32(index, struct vmsvga_state_s),
1222         VMSTATE_VARRAY_INT32(scratch, struct vmsvga_state_s,
1223                              scratch_size, 0, vmstate_info_uint32, uint32_t),
1224         VMSTATE_INT32(new_width, struct vmsvga_state_s),
1225         VMSTATE_INT32(new_height, struct vmsvga_state_s),
1226         VMSTATE_UINT32(guest, struct vmsvga_state_s),
1227         VMSTATE_UINT32(svgaid, struct vmsvga_state_s),
1228         VMSTATE_INT32(syncing, struct vmsvga_state_s),
1229         VMSTATE_UNUSED(4), /* was fb_size */
1230         VMSTATE_END_OF_LIST()
1231     }
1232 };
1233 
1234 static const VMStateDescription vmstate_vmware_vga = {
1235     .name = "vmware_vga",
1236     .version_id = 0,
1237     .minimum_version_id = 0,
1238     .fields = (VMStateField[]) {
1239         VMSTATE_PCI_DEVICE(parent_obj, struct pci_vmsvga_state_s),
1240         VMSTATE_STRUCT(chip, struct pci_vmsvga_state_s, 0,
1241                        vmstate_vmware_vga_internal, struct vmsvga_state_s),
1242         VMSTATE_END_OF_LIST()
1243     }
1244 };
1245 
1246 static const GraphicHwOps vmsvga_ops = {
1247     .invalidate  = vmsvga_invalidate_display,
1248     .gfx_update  = vmsvga_update_display,
1249     .text_update = vmsvga_text_update,
1250 };
1251 
1252 static void vmsvga_init(DeviceState *dev, struct vmsvga_state_s *s,
1253                         MemoryRegion *address_space, MemoryRegion *io)
1254 {
1255     s->scratch_size = SVGA_SCRATCH_SIZE;
1256     s->scratch = g_malloc(s->scratch_size * 4);
1257 
1258     s->vga.con = graphic_console_init(dev, 0, &vmsvga_ops, s);
1259 
1260     s->fifo_size = SVGA_FIFO_SIZE;
1261     memory_region_init_ram(&s->fifo_ram, NULL, "vmsvga.fifo", s->fifo_size,
1262                            &error_fatal);
1263     s->fifo_ptr = memory_region_get_ram_ptr(&s->fifo_ram);
1264 
1265     vga_common_init(&s->vga, OBJECT(dev), &error_fatal);
1266     vga_init(&s->vga, OBJECT(dev), address_space, io, true);
1267     vmstate_register(NULL, 0, &vmstate_vga_common, &s->vga);
1268     s->new_depth = 32;
1269 }
1270 
1271 static uint64_t vmsvga_io_read(void *opaque, hwaddr addr, unsigned size)
1272 {
1273     struct vmsvga_state_s *s = opaque;
1274 
1275     switch (addr) {
1276     case SVGA_IO_MUL * SVGA_INDEX_PORT: return vmsvga_index_read(s, addr);
1277     case SVGA_IO_MUL * SVGA_VALUE_PORT: return vmsvga_value_read(s, addr);
1278     case SVGA_IO_MUL * SVGA_BIOS_PORT: return vmsvga_bios_read(s, addr);
1279     default: return -1u;
1280     }
1281 }
1282 
1283 static void vmsvga_io_write(void *opaque, hwaddr addr,
1284                             uint64_t data, unsigned size)
1285 {
1286     struct vmsvga_state_s *s = opaque;
1287 
1288     switch (addr) {
1289     case SVGA_IO_MUL * SVGA_INDEX_PORT:
1290         vmsvga_index_write(s, addr, data);
1291         break;
1292     case SVGA_IO_MUL * SVGA_VALUE_PORT:
1293         vmsvga_value_write(s, addr, data);
1294         break;
1295     case SVGA_IO_MUL * SVGA_BIOS_PORT:
1296         vmsvga_bios_write(s, addr, data);
1297         break;
1298     }
1299 }
1300 
1301 static const MemoryRegionOps vmsvga_io_ops = {
1302     .read = vmsvga_io_read,
1303     .write = vmsvga_io_write,
1304     .endianness = DEVICE_LITTLE_ENDIAN,
1305     .valid = {
1306         .min_access_size = 4,
1307         .max_access_size = 4,
1308         .unaligned = true,
1309     },
1310     .impl = {
1311         .unaligned = true,
1312     },
1313 };
1314 
1315 static void pci_vmsvga_realize(PCIDevice *dev, Error **errp)
1316 {
1317     struct pci_vmsvga_state_s *s = VMWARE_SVGA(dev);
1318 
1319     dev->config[PCI_CACHE_LINE_SIZE] = 0x08;
1320     dev->config[PCI_LATENCY_TIMER] = 0x40;
1321     dev->config[PCI_INTERRUPT_LINE] = 0xff;          /* End */
1322 
1323     memory_region_init_io(&s->io_bar, OBJECT(dev), &vmsvga_io_ops, &s->chip,
1324                           "vmsvga-io", 0x10);
1325     memory_region_set_flush_coalesced(&s->io_bar);
1326     pci_register_bar(dev, 0, PCI_BASE_ADDRESS_SPACE_IO, &s->io_bar);
1327 
1328     vmsvga_init(DEVICE(dev), &s->chip,
1329                 pci_address_space(dev), pci_address_space_io(dev));
1330 
1331     pci_register_bar(dev, 1, PCI_BASE_ADDRESS_MEM_PREFETCH,
1332                      &s->chip.vga.vram);
1333     pci_register_bar(dev, 2, PCI_BASE_ADDRESS_MEM_PREFETCH,
1334                      &s->chip.fifo_ram);
1335 }
1336 
1337 static Property vga_vmware_properties[] = {
1338     DEFINE_PROP_UINT32("vgamem_mb", struct pci_vmsvga_state_s,
1339                        chip.vga.vram_size_mb, 16),
1340     DEFINE_PROP_BOOL("global-vmstate", struct pci_vmsvga_state_s,
1341                      chip.vga.global_vmstate, false),
1342     DEFINE_PROP_END_OF_LIST(),
1343 };
1344 
1345 static void vmsvga_class_init(ObjectClass *klass, void *data)
1346 {
1347     DeviceClass *dc = DEVICE_CLASS(klass);
1348     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
1349 
1350     k->realize = pci_vmsvga_realize;
1351     k->romfile = "vgabios-vmware.bin";
1352     k->vendor_id = PCI_VENDOR_ID_VMWARE;
1353     k->device_id = SVGA_PCI_DEVICE_ID;
1354     k->class_id = PCI_CLASS_DISPLAY_VGA;
1355     k->subsystem_vendor_id = PCI_VENDOR_ID_VMWARE;
1356     k->subsystem_id = SVGA_PCI_DEVICE_ID;
1357     dc->reset = vmsvga_reset;
1358     dc->vmsd = &vmstate_vmware_vga;
1359     device_class_set_props(dc, vga_vmware_properties);
1360     dc->hotpluggable = false;
1361     set_bit(DEVICE_CATEGORY_DISPLAY, dc->categories);
1362 }
1363 
1364 static const TypeInfo vmsvga_info = {
1365     .name          = TYPE_VMWARE_SVGA,
1366     .parent        = TYPE_PCI_DEVICE,
1367     .instance_size = sizeof(struct pci_vmsvga_state_s),
1368     .class_init    = vmsvga_class_init,
1369     .interfaces = (InterfaceInfo[]) {
1370         { INTERFACE_CONVENTIONAL_PCI_DEVICE },
1371         { },
1372     },
1373 };
1374 
1375 static void vmsvga_register_types(void)
1376 {
1377     type_register_static(&vmsvga_info);
1378 }
1379 
1380 type_init(vmsvga_register_types)
1381