From nobody Sat May 30 18:34:26 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass header.i=@intel.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1779158828; cv=none; d=zohomail.com; s=zohoarc; b=NLaBlX86aQw77YOAww3KBoeBkd793oVKEgbbf6YTgiVMxPWC4m0YolIa7zwU0BR3FdJceO169rrkD3DW+DPrtnRTF89xyMCdRDUY3OK0tO3nvZJlyxLHtqxNhgKHCspeVgPlZbVj6k34RC70EDk4FRfQgEgTwFkl1Rbayncg0Aw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1779158828; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=xdIXXGnYBLmUC65sf5j8tr5hE6b0EOnUuN9Rj+6uvNA=; b=c8AMOGNKe9dnP1cKQ1DS9oqzu07+IFNLI4pS1iLEgEwfq26WKK7sPOuQGnBkf3AEb/NeM6LK7I5kXrIplsJ3kBb6Vg2z8zIuDK8/FR+c5dOqhcmfG1DvbYjXHmSabyqB5qt33DR76wudYsA8jbdPxkEVwVd+Wtyh6n0smLcGEhU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=@intel.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 177915882769587.66868083537656; Mon, 18 May 2026 19:47:07 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wPATa-0002Mr-SY; Mon, 18 May 2026 22:46:36 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wPAT9-0002KM-4h; Mon, 18 May 2026 22:46:07 -0400 Received: from mgamail.intel.com ([192.198.163.17]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wPAT7-0000Vr-1n; Mon, 18 May 2026 22:46:06 -0400 Received: from orviesa007.jf.intel.com ([10.64.159.147]) by fmvoesa111.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 May 2026 19:46:03 -0700 Received: from junjie-desk-dev.bj.intel.com ([10.238.152.71]) by orviesa007-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 May 2026 19:46:01 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1779158765; x=1810694765; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=66BiGKeoqPdzkWk01n+msDTW9G8fXVqqceNjf47lShQ=; b=BgeIlBbLOL5F8PSqGxDm8AJu9Mm8GXVqPOUeMw7LBWpbSWbbX1yzEoAD JF96RAvPkkCi6tJZDDxE/029PXcreG3i66OOIZEkcL8eLziA+bthxj0RK laNq+7K+w1KEiFydhT+5iQ73xxCBMYSnxyTIVFimLUw9RXJL300RU2n7s fzF9v2DGaPRiSnCJZVgYb8i4I+Tj7hxa4h9L0KnmxJXPMCP9k0ZljTS3N PIeA/UwHKsH5fBR9hhUxaSeo4Z4jSeOeQxc4F2gTLjrE4BXHmGYhgZbVB kPO7ZYthn7rqCXVL6jyK/+Npu3mE1u0ESAbQhzIt9hkBTkcTmVZ5wTU1h g==; X-CSE-ConnectionGUID: yahjz80mR0ehPwU7yRz/wA== X-CSE-MsgGUID: 0CCXOCklTxawe54qAubs4w== X-IronPort-AV: E=McAfee;i="6800,10657,11790"; a="79878355" X-IronPort-AV: E=Sophos;i="6.23,243,1770624000"; d="scan'208";a="79878355" X-CSE-ConnectionGUID: kYA+vntRS2qDfcMJHbz6YQ== X-CSE-MsgGUID: KlLYzBt1QqGx1iilXrz82g== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.23,243,1770624000"; d="scan'208";a="239879565" From: Junjie Cao To: qemu-devel@nongnu.org Cc: balaton@eik.bme.hu, chad@jablonski.xyz, philmd@linaro.org, bea1e@proton.me, qemu-stable@nongnu.org, junjie.cao@intel.com Subject: [PATCH v2 1/2] hw/display/ati: reset host_data.next in write handler after flush Date: Tue, 19 May 2026 10:39:36 +0800 Message-ID: <20260519023937.439077-2-junjie.cao@intel.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260519023937.439077-1-junjie.cao@intel.com> References: <20260519023937.439077-1-junjie.cao@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=192.198.163.17; envelope-from=junjie.cao@intel.com; helo=mgamail.intel.com X-Spam_score_int: -47 X-Spam_score: -4.8 X-Spam_bar: ---- X-Spam_report: (-4.8 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.445, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @intel.com) X-ZM-MESSAGEID: 1779158831429158500 Content-Type: text/plain; charset="utf-8" ati_host_data_flush() resets host_data.next only on its success path. When it returns early (unsupported bpp, direction, src_source, or src_datatype), next remains stale at >=3D 4. The next HOST_DATA write then stores a guest-controlled dword at acc[4+], overflowing the 4-element accumulator array. Fix this by resetting next unconditionally in the write handler after calling ati_host_data_flush() or ati_host_data_finish(), and removing the reset from inside ati_host_data_flush(). This ensures the write handler owns the full lifecycle of the accumulator index regardless of flush success or failure. Reported-by: Feifan Qian Resolves: https://lore.kernel.org/qemu-devel/Czyl6yVfL6sHl_o1kRk8N_LpwXMMRV= hO9vgz1qCVJFagn9D4nHSKuiux39iOLty0Q3acxQq_FeovPhTQvSKus2htwjI9lTajLZmqovr0W= xs=3D@proton.me/ Cc: qemu-stable@nongnu.org Signed-off-by: Junjie Cao Reviewed-by: Chad Jablonski --- hw/display/ati.c | 2 ++ hw/display/ati_2d.c | 1 - 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/hw/display/ati.c b/hw/display/ati.c index d77589df67..db7e08a462 100644 --- a/hw/display/ati.c +++ b/hw/display/ati.c @@ -1034,8 +1034,10 @@ static void ati_mm_write(void *opaque, hwaddr addr, s->host_data.acc[s->host_data.next++] =3D data; if (addr =3D=3D HOST_DATA_LAST) { ati_host_data_finish(s); + s->host_data.next =3D 0; } else if (s->host_data.next >=3D 4) { ati_host_data_flush(s); + s->host_data.next =3D 0; } break; default: diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c index 48498677c7..8ef82bb87f 100644 --- a/hw/display/ati_2d.c +++ b/hw/display/ati_2d.c @@ -452,7 +452,6 @@ bool ati_host_data_flush(ATIVGAState *s) } =20 /* Track state of the overall blit for use by the next flush */ - s->host_data.next =3D 0; s->host_data.row =3D row; s->host_data.col =3D col; if (s->host_data.row >=3D ctx.dst.height) { --=20 2.43.0 From nobody Sat May 30 18:34:26 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass header.i=@intel.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1779158850; cv=none; d=zohomail.com; s=zohoarc; b=fzeEe35gurXpiu5yaVaDfBIy6w2D7XrhZLfDovADC3Wa1JwPWmUfcH40rakNK0prfka6/Pb+TvNVNAnJAnJOoTDfPxKs3u7CfhdUgJydynQPM37Tmxk+G2OHKic2YKzhshPeq5k/4zXuIArZuHOY9RqncWaeA0/739bR5ViVFwE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1779158850; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=GNpBAB3K/I2p6P7ZBzEAj/tMBBsvbuxpjY7xdQ4bbfY=; b=bNDWTydFVMEkyWWpZ6o4OxFwyO2KMqceiBIRxldzucaCfjTKEjMKEomkUMH53QBjK4lBadtn+eqKUIpc8xISC3ul/jxdQner7BYBX+/XUDYNPt+gqBTGUO5NdstdssGL0LKwMOPGS3vIeA3hoomQS3TVRRtukl0BfIUhkSy+feA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=@intel.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1779158850656199.25008166905877; Mon, 18 May 2026 19:47:30 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wPATd-0002On-DB; Mon, 18 May 2026 22:46:37 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wPATE-0002Lj-Bn; Mon, 18 May 2026 22:46:15 -0400 Received: from mgamail.intel.com ([192.198.163.17]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wPATC-0000b3-TP; Mon, 18 May 2026 22:46:12 -0400 Received: from orviesa007.jf.intel.com ([10.64.159.147]) by fmvoesa111.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 May 2026 19:46:09 -0700 Received: from junjie-desk-dev.bj.intel.com ([10.238.152.71]) by orviesa007-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 May 2026 19:46:07 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1779158771; x=1810694771; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=CBWUW2b1EhtSvPe/HKlUv9QP0AZ9AMq7FiJ1YBl3ACc=; b=mXq3VXTsxwBXxQdpT952RGIca32peKQt9hiPGxTprMe84NOV+T5w4xyB VOBOR2d8L7R7PNFr8LXpEkQQZmoF7dVbtUcmECK+kw3RZizf/Xbb8BzgL JDBvsPOrOFu4bAy24On2juQZCSS4aICMzJFv35Ftje8UMoLAxKpzt28go 4SZqOCBIRPMVeFGOyaJ+mEwnDKc/EaaoMVlEBQrzHlHPdwnmT+dUhFLn3 sgrOmQEfDfmaL7+v9Auw4y3Ci+RERS6S+1ngFX/J1FAXRHhytmJgaqqc5 Z0IkBMG8yJr3G+16tpMB1jReFsO4cAYD3nJqJhAfxgp8JaVB4Yv47pEUD A==; X-CSE-ConnectionGUID: enPp4iTPSO+f88IBpaxaLg== X-CSE-MsgGUID: f66FKlTvTr+CNmBOPAgT+A== X-IronPort-AV: E=McAfee;i="6800,10657,11790"; a="79878362" X-IronPort-AV: E=Sophos;i="6.23,243,1770624000"; d="scan'208";a="79878362" X-CSE-ConnectionGUID: hyaPeDJSTLWr9wDV5swuvg== X-CSE-MsgGUID: heJwj7hPQcWjXK7EBVfUsA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.23,243,1770624000"; d="scan'208";a="239879586" From: Junjie Cao To: qemu-devel@nongnu.org Cc: balaton@eik.bme.hu, chad@jablonski.xyz, philmd@linaro.org, bea1e@proton.me, qemu-stable@nongnu.org, junjie.cao@intel.com Subject: [PATCH v2 2/2] hw/display/ati: guard against zero bpp in ati_host_data_flush Date: Tue, 19 May 2026 10:39:37 +0800 Message-ID: <20260519023937.439077-3-junjie.cao@intel.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260519023937.439077-1-junjie.cao@intel.com> References: <20260519023937.439077-1-junjie.cao@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=192.198.163.17; envelope-from=junjie.cao@intel.com; helo=mgamail.intel.com X-Spam_score_int: -47 X-Spam_score: -4.8 X-Spam_bar: ---- X-Spam_report: (-4.8 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.445, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @intel.com) X-ZM-MESSAGEID: 1779158851245158500 Content-Type: text/plain; charset="utf-8" ati_bpp_from_datatype() returns 0 for unrecognized dp_datatype nibble values (0, 1, or >=3D 7). ati_host_data_flush() only guards against the bpp =3D=3D 24 case but not bpp =3D=3D 0, leading to: 1. Division by zero at "pix_count /=3D ctx.bpp" (SIGFPE) when src_datatype is SRC_COLOR. 2. g_assert_not_reached() in stn_he_p() when bypp (=3D bpp/8 =3D 0) hits the default case of the size switch. Both are guest-triggerable via MMIO writes to the dp_datatype register while a HOST_DATA blit is active. Add an explicit bpp =3D=3D 0 check with LOG_GUEST_ERROR before proceeding with the blit, consistent with the existing check in ati_2d_do_blt(). Reported-by: Feifan Qian Cc: qemu-stable@nongnu.org Signed-off-by: Junjie Cao Reviewed-by: Chad Jablonski --- hw/display/ati_2d.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c index 8ef82bb87f..22dd811bd8 100644 --- a/hw/display/ati_2d.c +++ b/hw/display/ati_2d.c @@ -377,6 +377,11 @@ bool ati_host_data_flush(ATIVGAState *s) =20 setup_2d_blt_ctx(s, &ctx); =20 + if (!ctx.bpp) { + qemu_log_mask(LOG_GUEST_ERROR, + "host_data_blt: invalid bpp from datatype\n"); + return false; + } if (ctx.bpp =3D=3D 24) { qemu_log_mask(LOG_UNIMP, "host_data_blt: unsupported in 24 bits mode\n"); --=20 2.43.0