diff mbox

[2/2] qxl: surface0 and ram_header should fit into vram

Message ID 1424121788-24560-3-git-send-email-rkrcmar@redhat.com
State New
Headers show

Commit Message

Radim Krčmář Feb. 16, 2015, 9:23 p.m. UTC 
The solution is not perfect, but won't let us do the same error again
and has no overhead.

Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
---
 hw/display/qxl.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Gerd Hoffmann Feb. 17, 2015, 8:02 a.m. UTC | #1 
On Mo, 2015-02-16 at 22:23 +0100, Radim Krčmář wrote:
> The solution is not perfect, but won't let us do the same error again
> and has no overhead.

How do you get qemu into a configuration where this isn't true?

cheers,
  Gerd
Radim Krčmář Feb. 17, 2015, 10:31 a.m. UTC | #2 
2015-02-17 09:02+0100, Gerd Hoffmann:
> On Mo, 2015-02-16 at 22:23 +0100, Radim Krčmář wrote:
> > The solution is not perfect, but won't let us do the same error again
> > and has no overhead.
> 
> How do you get qemu into a configuration where this isn't true?

Without [1/2], by setting qxl-vga.vgamem_mb > 128.
The segfault happens when qxl-vga.vgamem_mb > 256.

In both cases, qxl->vga.vram_size is rounded to 256, but in the latter
one, we allocate less memory than is later accessed.
diff mbox

Patch

diff --git a/hw/display/qxl.c b/hw/display/qxl.c
index 61df47726481..d5e85d033080 100644
--- a/hw/display/qxl.c
+++ b/hw/display/qxl.c
@@ -367,6 +367,8 @@  static void init_qxl_rom(PCIQXLDevice *d)
     num_pages         -= surface0_area_size;
     num_pages          = num_pages / QXL_PAGE_SIZE;
 
+    assert(surface0_area_size + ram_header_size <= d->vga.vram_size);
+
     rom->draw_area_offset   = cpu_to_le32(0);
     rom->surface0_area_size = cpu_to_le32(surface0_area_size);
     rom->pages_offset       = cpu_to_le32(surface0_area_size);