Message ID | 20200820153228.85587-1-liq3ea@163.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | hw: cirrus_vga: mask 'off_begin' in cirrus_invalidate_region() | expand |
> This patch fixes this. > --- a/hw/display/cirrus_vga.c > +++ b/hw/display/cirrus_vga.c > @@ -644,7 +644,7 @@ static void cirrus_invalidate_region(CirrusVGAState * s, int off_begin, > off_cur_end = ((off_cur + bytesperline - 1) & s->cirrus_addr_mask) + 1; > assert(off_cur_end >= off_cur); > memory_region_set_dirty(&s->vga.vram, off_cur, off_cur_end - off_cur); > - off_begin += off_pitch; > + off_begin = (off_begin + off_pitch) & s->cirrus_addr_mask; > } Well. Only in case the wraparound doesn't split a scanline ... take care, Gerd
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c index 212d6f5e61..93fabd19a7 100644 --- a/hw/display/cirrus_vga.c +++ b/hw/display/cirrus_vga.c @@ -644,7 +644,7 @@ static void cirrus_invalidate_region(CirrusVGAState * s, int off_begin, off_cur_end = ((off_cur + bytesperline - 1) & s->cirrus_addr_mask) + 1; assert(off_cur_end >= off_cur); memory_region_set_dirty(&s->vga.vram, off_cur, off_cur_end - off_cur); - off_begin += off_pitch; + off_begin = (off_begin + off_pitch) & s->cirrus_addr_mask; } }
In the while loop of cirrus_invalidate_region() the 'off_begin' increases every loop. It may be greater than 's->cirrus_addr_mask' thus trigger the assert in the loop. Following reproducer is provied in: -->https://bugs.launchpad.net/qemu/+bug/1880189 qemu-system-i386 -M isapc,accel=qtest -vga cirrus -qtest stdio << 'EOF' outl 0x03b1 0x2fdc1001 outb 0x03cc 0xe outb 0x03cc 0xe outb 0x03cc 0x2f outb 0x03cc 0xe outb 0x03cc 0x2f outb 0x03cc 0xe outl 0x03cc 0xedc100e outb 0x03cc 0x2f outl 0x03cc 0xe24f40e outl 0x03cc 0x2f23dc12 outl 0x03cc 0xe23f40e outl 0x03cc 0xe31dc12 outb 0x03cc 0x2f outl 0x03cc 0xe2af40e outl 0x03cc 0x2f235612 outl 0x03cc 0xe23f40e outl 0x03cc 0xe31dc12 outb 0x03cc 0x2f outl 0x03cc 0x2fdcf40e outb 0x03cc 0xe outl 0x03cc 0xedc100e outb 0x03cc 0x2f outl 0x03cc 0xe24f40e outl 0x03cc 0xe23dc12 outb 0x03cc 0x2f outl 0x03cc 0xedc100e outl 0x03cc 0x2fdc400e outb 0x03cc 0xe outl 0x03cc 0xe130100e outb 0x03cc 0x2f outl 0x03cc 0xe23f40e outl 0x03cc 0xe31dc12 outb 0x03cc 0x2f outl 0x03cc 0xe33f40e outl 0x03cc 0xdc235612 outb 0x03cc 0xe outl 0x03cc 0x2fdc400e outb 0x03cc 0xe outl 0x03cc 0xfb24100e outb 0x03cc 0x2f outl 0x03cc 0xdc10dc0e outl 0x03cc 0x2f31dc12 outl 0x03cc 0xe23f40e outl 0x03cc 0xe31dc12 outb 0x03cc 0x2f outl 0x03cc 0xe23f40e outl 0x03cc 0xe31dc12 outb 0x03cc 0x2f outl 0x03cc 0x1021f40e EOF This patch fixes this. Buglink: https://bugs.launchpad.net/qemu/+bug/1880189 Reported-by: Alexander Bulekov <alxndr@bu.edu> Signed-off-by: Li Qiang <liq3ea@163.com> --- hw/display/cirrus_vga.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)