{"id":2222065,"url":"http://patchwork.ozlabs.org/api/1.1/covers/2222065/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/cover/20260410183249.4046456-1-peter.maydell@linaro.org/","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/1.1/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260410183249.4046456-1-peter.maydell@linaro.org>","date":"2026-04-10T18:32:47","name":"[0/2] hw/display/cirrus_vga: Fix packed-24 color-expansion ops","submitter":{"id":5111,"url":"http://patchwork.ozlabs.org/api/1.1/people/5111/?format=json","name":"Peter Maydell","email":"peter.maydell@linaro.org"},"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/cover/20260410183249.4046456-1-peter.maydell@linaro.org/mbox/","series":[{"id":499492,"url":"http://patchwork.ozlabs.org/api/1.1/series/499492/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/list/?series=499492","date":"2026-04-10T18:32:49","name":"hw/display/cirrus_vga: Fix packed-24 color-expansion ops","version":1,"mbox":"http://patchwork.ozlabs.org/series/499492/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/covers/2222065/comments/","headers":{"Return-Path":"<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256\n header.s=google header.b=xR3lxmSg;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fsln10sC0z20HV\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 11 Apr 2026 04:33:40 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1wBGf4-0003DO-Im; Fri, 10 Apr 2026 14:32:58 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <peter.maydell@linaro.org>)\n id 1wBGf1-0003Co-3s\n for qemu-devel@nongnu.org; Fri, 10 Apr 2026 14:32:55 -0400","from mail-wm1-x32a.google.com ([2a00:1450:4864:20::32a])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.90_1) (envelope-from <peter.maydell@linaro.org>)\n id 1wBGez-00051x-1P\n for qemu-devel@nongnu.org; Fri, 10 Apr 2026 14:32:54 -0400","by mail-wm1-x32a.google.com with SMTP id\n 5b1f17b1804b1-488a9033b2cso28048655e9.2\n for <qemu-devel@nongnu.org>; Fri, 10 Apr 2026 11:32:52 -0700 (PDT)","from lanath.. (wildly.archaic.org.uk. [81.2.115.145])\n by smtp.gmail.com with ESMTPSA id\n ffacd0b85a97d-43d63e46a85sm9344714f8f.24.2026.04.10.11.32.49\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Fri, 10 Apr 2026 11:32:50 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=linaro.org; s=google; t=1775845971; x=1776450771; darn=nongnu.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=xzwcL6GsKaz7inyBzILY3eyTSUx2j00KOrd+KLESyRU=;\n b=xR3lxmSgNlk1kDrNvrX0gt4+wgglPhBasy7XWFy1FyOpReYtiIGbn7lUPZ4QO+C4VM\n NPDKgLyHzlK8c0l+7TnE1qFGJKpjZPmSRIudlP+8xBGrCh5Jh+gUIDkkq308qHPyQLVc\n xDgbAhR51nYoKAoR1W4wIssRXcisocT0VudtPS0wTyXCm3TvZdlRtasyAd5302tWUYU6\n IBJbSB+Ju/JqyOUNYsa++WVlslUUO2FYM9jslG6/HDkLUuAcUjvfsSPwOnTHoeW56jQj\n L+sCwLn+vcLzrZFj8FIIAJeD9OKs/uLLmeFaz3JgKM7h2yhuYeIU3W/R0SY7bh8FY9LJ\n U+Lg==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1775845971; x=1776450771;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=xzwcL6GsKaz7inyBzILY3eyTSUx2j00KOrd+KLESyRU=;\n b=NMOok8qSrBth3YtesZ1Hc3KWvlWWNHuXqNodu+f6xaGZCkXEDpesuqfmyxcWUlYSgd\n BLMbIItBZhERuNg44ReDWZYRUsnCBrssW6V7wR+w3rakgz4pe2JDj+BjqwLNagpR5Qc4\n KOMuajnphupayuP87ROXTcDiFRdKYvHBipboGeN+NPRUvhO99DlmDBBJUTKYRo8QoVvU\n AxLugj7AOfUrtCrRfgadwP4djZ7aCWjVBpRNt/zUmKVdNxWV+JpxLUdpKG1rU4F68b13\n xSsPU7KSyaSRcL1WOpTZB5xPyuqLxbEEtM9f0uw7CsWK828W48t28nQIIwxulJVFQc6o\n pjFw==","X-Gm-Message-State":"AOJu0YyTuB4r2T40WXZKxemGwkOyx5BmQYG6F5w+PTal0cRyWOvJsdXy\n R1h5iByc79XRlsr892c/fChBo6xC437FwrKvXJ55ZOgWZrEsMX0q/d2fnsE6vTb8tvT4HsSJGAS\n QRKXNip8=","X-Gm-Gg":"AeBDieuSSeM6EoPgSCDrveryC1l5efaBklc/p8PhmKRm9KIeZzFksKutWLgGLqwnonx\n wcIcHrOGwEvm5fd0a+Tj3oN0MNP0Px77bNhnKMe7Irz6e4vBi5qHbdTGih5bZ2pHWgZf0rLRa30\n rVThZHA9jmYfq6u7QDCwfeCmWhyLKIIZ2v+KKmAgoMkyLlr9jtctpMCCnnTLEpuuQmn/cvSri8L\n S79ME0ymrJIysmF5F8y3d0NZRsuXF3hLyE56jIQ1xg4HRiYGmhXMbD07Pz4K75GwDeqj3mVOQvh\n 9A606r9rcQ1c1tS09qtKziv3QNOY49MkqnbwWXDfS4aVUQmXIjtqktUmZTUVdTNr5j+YNQKXV1/\n EDVjNz8qpdrr3L7Sns/QxDrBUyqWS8p94xryH314pI6Bnpzrm+RhN5Ntf9IvvscmhA2EhHZoA3T\n eC+HbAnKw8N1XGh4wTvXtKR+E5zQ5Ck3bIuu2cz2SyKgiqK/k5FbJjFsH2mi5ZS2HyF8PCCrWXn\n +59dY+A2cr6tLurzSt5hEaALS0Oaw0HRUDJnwrwCg==","X-Received":"by 2002:a05:6000:401e:b0:43c:f52b:8000 with SMTP id\n ffacd0b85a97d-43d642cb005mr6697655f8f.44.1775845970839;\n Fri, 10 Apr 2026 11:32:50 -0700 (PDT)","From":"Peter Maydell <peter.maydell@linaro.org>","To":"qemu-devel@nongnu.org","Cc":"Gerd Hoffmann <kraxel@redhat.com>","Subject":"[PATCH 0/2] hw/display/cirrus_vga: Fix packed-24 color-expansion ops","Date":"Fri, 10 Apr 2026 19:32:47 +0100","Message-ID":"<20260410183249.4046456-1-peter.maydell@linaro.org>","X-Mailer":"git-send-email 2.43.0","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","Received-SPF":"pass client-ip=2a00:1450:4864:20::32a;\n envelope-from=peter.maydell@linaro.org; helo=mail-wm1-x32a.google.com","X-Spam_score_int":"-20","X-Spam_score":"-2.1","X-Spam_bar":"--","X-Spam_report":"(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,\n SPF_PASS=-0.001 autolearn=ham autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development <qemu-devel.nongnu.org>","List-Unsubscribe":"<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>","List-Archive":"<https://lists.nongnu.org/archive/html/qemu-devel>","List-Post":"<mailto:qemu-devel@nongnu.org>","List-Help":"<mailto:qemu-devel-request@nongnu.org?subject=help>","List-Subscribe":"<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"},"content":"The Cirrus Logic VGA card raster ops allow the left side of the input\nsource to be clipped (or skipped) based on a \"destination write mask\"\nfield in the GR2F bitblt register. For 8, 16 and 32bpp, this field has\na simple 3-bit format indicating the number of pixels to skip on the\nleft edge of each scanline. For 24bpp, the field is 5-bit, and is a\nbyte count of how many destination bytes to skip.\n\nThe card also supports a \"color expansion\" mode for raster ops where\nthe input is a monochrome bitmap or bitmap pattern, where each bit is\nexpanded into a full-color pixel which is either the background or\nforeground color (or not drawn at all, for transparency).\n\nWe have a bug in our implementation of the interaction of these two\nfeatures: for color-expansion to 8/16/32bpp the 3-bit destination\nwrite mask field doesn't allow skipping a full byte of the input\nmonochrome bitmap, but in 24bpp the 5-bit field means we might need to\nskip a byte and a bit of the source. We weren't accounting for this\nneed to skip a full byte. The result for the \"pattern fill\" raster op\ntype (where the input is a repeating 8x8 monochrome tile) is that we\nattempt to shift by a negative value, which is caught by the\nundefined-behaviour sanitizer. For the other color-expansion ops, we\nmerely write the wrong data to the display.\n\nThis patchset fixes both bugs. The UB one was reported as\nhttps://gitlab.com/qemu-project/qemu/-/work_items/3377\n\nThe technical reference manual says that 24-bpp color expansion\n\"*must* use transparency\" and doesn't say what happens if you try to\ndo it anyway, which is presumably why the other raster op functions in\ncirrus_vga_rop2.h don't try to handle the 24bpp write-mask format. I\nhave left this as it is, since we don't have any reports of UB there.\n\nBig disclaimer on this: I have no guest images that try to use the\nCirrus bitblt handling at all, so I have only developed these against\nthe reference manual and confirmed that it fixes the UB repro case\nfrom the bug. If anybody does have test images for these that would be\ngood to test...\n\nThis bug has been in QEMU for decades, so I think we're OK letting\nit slide to QEMU 11.1.\n\nthanks\n-- PMM\n\nPeter Maydell (2):\n  hw/display/cirrus_vga: Fix packed-24 color-expansion transparent\n    pattern fills\n  hw/display/cirrus_vga: Fix packed-24 color-expansion transparent\n    copies\n\n hw/display/cirrus_vga_rop2.h | 52 ++++++++++++++++++++++++++++++++----\n 1 file changed, 47 insertions(+), 5 deletions(-)"}