[Qemu-commits] [qemu/qemu] 84ec3f: sm501: Fix bounds checks

qemu-commits
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 84ec3f: sm501: Fix bounds checks

From:	Peter Maydell
Subject:	[Qemu-commits] [qemu/qemu] 84ec3f: sm501: Fix bounds checks
Date:	Thu, 02 Jul 2020 08:00:33 -0700
  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: 84ec3f940289dfba9b6de531c9aac7f089fc6c8f
      
https://github.com/qemu/qemu/commit/84ec3f940289dfba9b6de531c9aac7f089fc6c8f
  Author: BALATON Zoltan <balaton@eik.bme.hu>
  Date:   2020-06-30 (Tue, 30 Jun 2020)

  Changed paths:
    M hw/display/sm501.c

  Log Message:
  -----------
  sm501: Fix bounds checks

We don't need to add width to pitch when calculating last point, that
would reject valid ops within the card's local_mem.

Fixes: b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 
ddb5781d12913bb9d6dbfd9e5b1e2b893e2b3e2d.1592686588.git.balaton@eik.bme.hu
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>


  Commit: 4decaad9d295c8598bbcba09c40d3fd4a115f1e8
      
https://github.com/qemu/qemu/commit/4decaad9d295c8598bbcba09c40d3fd4a115f1e8
  Author: BALATON Zoltan <balaton@eik.bme.hu>
  Date:   2020-06-30 (Tue, 30 Jun 2020)

  Changed paths:
    M hw/display/sm501.c

  Log Message:
  -----------
  sm501: Drop unneded variable

We don't need a separate variable to keep track if we allocated memory
that needs to be freed as we can test the pointer itself.

Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 
ff9136c3151a15cdfa1d9b7a68acf11cffb8efa4.1592686588.git.balaton@eik.bme.hu
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>


  Commit: 1cb62e3666b48ac4c6a22340165e21439919908f
      
https://github.com/qemu/qemu/commit/1cb62e3666b48ac4c6a22340165e21439919908f
  Author: BALATON Zoltan <balaton@eik.bme.hu>
  Date:   2020-06-30 (Tue, 30 Jun 2020)

  Changed paths:
    M hw/display/sm501.c

  Log Message:
  -----------
  sm501: Ignore no-op blits

Some guests seem to try source copy blits with same source and dest
which are no-op so avoid calling pixman for these.

Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 
a2a8214dd37344dfb65f1c343ace4cff2e94f3bb.1592686588.git.balaton@eik.bme.hu
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>


  Commit: 299778d5af207b298224d2c610324941b8561006
      
https://github.com/qemu/qemu/commit/299778d5af207b298224d2c610324941b8561006
  Author: BALATON Zoltan <balaton@eik.bme.hu>
  Date:   2020-06-30 (Tue, 30 Jun 2020)

  Changed paths:
    M hw/display/sm501.c

  Log Message:
  -----------
  sm501: Introduce variable for commonly used value for better readability

The bytes per pixel value can be calculated from format but it's used
freqently enough (and will be used more in subseqent patches) so store
it in a variable for better readabilty. Also drop some unneded 0x
prefix around where new variable is defined.

Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 
b9ea5ef2d68583db9f3fb73a2b859abbd7c044a8.1592686588.git.balaton@eik.bme.hu
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>


  Commit: c208085a3e979e1da23a59c397ad6ab56a29d7bf
      
https://github.com/qemu/qemu/commit/c208085a3e979e1da23a59c397ad6ab56a29d7bf
  Author: BALATON Zoltan <balaton@eik.bme.hu>
  Date:   2020-06-30 (Tue, 30 Jun 2020)

  Changed paths:
    M hw/display/sm501.c

  Log Message:
  -----------
  sm501: Optimise 1 pixel 2d ops

Some guests do 1x1 blits which is faster to do directly than calling a
function for it so avoid overhead in this case.

Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 
7cccc302d7b4c5c313bad7681ac4686417143c3e.1592686588.git.balaton@eik.bme.hu
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>


  Commit: ba27110fab0b7ba26ff6a36a7311481181dd83f8
      
https://github.com/qemu/qemu/commit/ba27110fab0b7ba26ff6a36a7311481181dd83f8
  Author: BALATON Zoltan <balaton@eik.bme.hu>
  Date:   2020-06-30 (Tue, 30 Jun 2020)

  Changed paths:
    M hw/display/sm501.c

  Log Message:
  -----------
  sm501: Use stn_he_p/ldn_he_p instead of switch/case

Instead of open coding op with different sizes using a switch and type
casting it can be written more compactly using stn_he_p/ldn_he_p.

Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 
e2f649cb286f0735a10ec87c1b36a7ae081acb61.1592686588.git.balaton@eik.bme.hu
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>


  Commit: f018edc358669d42553f4a636b7611d05ab2198f
      
https://github.com/qemu/qemu/commit/f018edc358669d42553f4a636b7611d05ab2198f
  Author: BALATON Zoltan <balaton@eik.bme.hu>
  Date:   2020-06-30 (Tue, 30 Jun 2020)

  Changed paths:
    M hw/display/sm501.c

  Log Message:
  -----------
  sm501: Do not allow guest to set invalid format

Prevent guest setting invalid format value that might trip checks in
sm501_2d_operation().

Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 
26d4fa9b8ce81e2723e98d592ccba7550042752c.1592686588.git.balaton@eik.bme.hu
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>


  Commit: d8327a68694e49d7d125b5dbe4eeaaf9695cbb73
      
https://github.com/qemu/qemu/commit/d8327a68694e49d7d125b5dbe4eeaaf9695cbb73
  Author: BALATON Zoltan <balaton@eik.bme.hu>
  Date:   2020-06-30 (Tue, 30 Jun 2020)

  Changed paths:
    M hw/display/sm501.c
    M hw/display/trace-events

  Log Message:
  -----------
  sm501: Convert debug printfs to traces

Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 
caf97bf0c84a440896ddf020e84c312fa5c15076.1592686588.git.balaton@eik.bme.hu
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>


  Commit: 9982c605a71bffd4c52c111b5c79e2060953a762
      
https://github.com/qemu/qemu/commit/9982c605a71bffd4c52c111b5c79e2060953a762
  Author: BALATON Zoltan <balaton@eik.bme.hu>
  Date:   2020-06-30 (Tue, 30 Jun 2020)

  Changed paths:
    M hw/display/sm501.c

  Log Message:
  -----------
  sm501: Fix and optimize overlap check

When doing reverse blit we need to check if source and dest overlap
but it is not trivial due to possible different base and pitch of
source and dest. Do rectangle overlap if base and pitch match,
otherwise just check if memory area containing the rects overlaps so
rects could possibly overlap.

Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Message-Id: <20200624164737.A941374633D@zero.eik.bme.hu>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>


  Commit: d634c883ca07c28da2cb84c019659694f05d8b3a
      
https://github.com/qemu/qemu/commit/d634c883ca07c28da2cb84c019659694f05d8b3a
  Author: BALATON Zoltan <balaton@eik.bme.hu>
  Date:   2020-06-30 (Tue, 30 Jun 2020)

  Changed paths:
    M hw/display/ati.c

  Log Message:
  -----------
  ati-vga: Support unaligned access to hardware cursor registers

This fixes horizontal mouse movement and pointer color with MacOS that
writes these registers with access size less than 4 so previously only
the last portion of access was effective overwriting previous partial
writes.

Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Message-id: 
ba1d5ba97f246e8807f86f1243c2bdc6497dc8f2.1592737958.git.balaton@eik.bme.hu
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>


  Commit: 41977c65c04a85f177603778cb60e06847efd3af
      
https://github.com/qemu/qemu/commit/41977c65c04a85f177603778cb60e06847efd3af
  Author: BALATON Zoltan <balaton@eik.bme.hu>
  Date:   2020-06-30 (Tue, 30 Jun 2020)

  Changed paths:
    M hw/display/ati.c

  Log Message:
  -----------
  ati-vga: Do not assert on error

Do not abort on unsupported value just print log and continue. While
display will likely be broken this prevents malicious guest to crash
QEMU causing denial of service.

Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Message-id: 
0c13dab5d8e3b7e7479c3edbf53aeac8c09de6de.1592737958.git.balaton@eik.bme.hu
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>


  Commit: 2bbcaa7cd67c30fc90d643f2fb490787b9d9627c
      
https://github.com/qemu/qemu/commit/2bbcaa7cd67c30fc90d643f2fb490787b9d9627c
  Author: BALATON Zoltan <balaton@eik.bme.hu>
  Date:   2020-06-30 (Tue, 30 Jun 2020)

  Changed paths:
    M hw/display/ati.c
    M hw/display/ati_dbg.c
    M hw/display/ati_regs.h

  Log Message:
  -----------
  ati-vga: Add dummy MEM_SDRAM_MODE_REG

Radeon chips have an SDRAM mode reg that is accessed by some drivers.
We don't emulate the memory controller but provide some default value
to prevent drivers getting unexpected 0.

Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Message-id: 
cc1324b9ef06beb8ae233ddc77dedd8bab9b8624.1592737958.git.balaton@eik.bme.hu
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>


  Commit: 8db2a4fd8abf6550479f7a8caa8f655c34238d6a
      
https://github.com/qemu/qemu/commit/8db2a4fd8abf6550479f7a8caa8f655c34238d6a
  Author: Gerd Hoffmann <kraxel@redhat.com>
  Date:   2020-06-30 (Tue, 30 Jun 2020)

  Changed paths:
    M configure

  Log Message:
  -----------
  configure: vgabios cleanups

Commit 91b8eba9ec3f ("vgabios: remove submodule and build rules.")
removed the vgabios submodule, but left some traces in the configure
script.  Remove them.

Reported-by: BALATON Zoltan <balaton@eik.bme.hu>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20200622131240.9624-1-kraxel@redhat.com


  Commit: d0c8b957ae648f67e3ccb5a14e1edc4ae0bea5db
      
https://github.com/qemu/qemu/commit/d0c8b957ae648f67e3ccb5a14e1edc4ae0bea5db
  Author: Peter Maydell <peter.maydell@linaro.org>
  Date:   2020-07-02 (Thu, 02 Jul 2020)

  Changed paths:
    M configure
    M hw/display/ati.c
    M hw/display/ati_dbg.c
    M hw/display/ati_regs.h
    M hw/display/sm501.c
    M hw/display/trace-events

  Log Message:
  -----------
  Merge remote-tracking branch 'remotes/kraxel/tags/vga-20200701-pull-request' 
into staging

vga: bugfixes for ati and sm501, vgabios cleanup.

# gpg: Signature made Wed 01 Jul 2020 16:03:48 BST
# gpg:                using RSA key 4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full]
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>" [full]
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full]
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/vga-20200701-pull-request:
  configure: vgabios cleanups
  ati-vga: Add dummy MEM_SDRAM_MODE_REG
  ati-vga: Do not assert on error
  ati-vga: Support unaligned access to hardware cursor registers
  sm501: Fix and optimize overlap check
  sm501: Convert debug printfs to traces
  sm501: Do not allow guest to set invalid format
  sm501: Use stn_he_p/ldn_he_p instead of switch/case
  sm501: Optimise 1 pixel 2d ops
  sm501: Introduce variable for commonly used value for better readability
  sm501: Ignore no-op blits
  sm501: Drop unneded variable
  sm501: Fix bounds checks

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>


Compare: https://github.com/qemu/qemu/compare/fc1bff958998...d0c8b957ae64
[Prev in Thread]
Current Thread
[Next in Thread]
[Qemu-commits] [qemu/qemu] 84ec3f: sm501: Fix bounds checks, Peter Maydell <=
Next by Date: [Qemu-commits] [qemu/qemu] ed4e0d: chardev/tcp: Fix error message double free error
Next by thread: [Qemu-commits] [qemu/qemu] ed4e0d: chardev/tcp: Fix error message double free error
Index(es):
- Date
- Thread