This is the second version of the patch. We don't use the word "blit" any more, instead this is replaced with "DMA", even though it's not quite like a DMA operation on physical hardware.
The guest writes the physical address and size to two 32 bit fw_cfg variables. Then when the guest issues an ordinary read operation with the extra FW_CFG_DMA flag set, instead of returning a single byte, qemu "DMA"s the requested data into the guest memory. The guest shouldn't be able to request a dma_size larger than the amount of data in the entry. The patch checks this and adjusts dma_size. The guest might select a dma_addr which does not correspond to physical memory (or dma_addr + dma_size). Reading the code it seems to be that cpu_physical_memory_write catches this case and will abort() (so the guest is only harming itself). However I'd quite like an expert opinion on this ... Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-top is 'top' for virtual machines. Tiny program with many powerful monitoring features, net stats, disk stats, logging, etc. http://et.redhat.com/~rjones/virt-top
