From: Peter Maydell <peter.maydell@linaro.org>
To: qemu-devel@nongnu.org
Subject: [PULL 4/4] hw/display/exynos4210_fimd: Account for zero length in fimd_update_memory_section()
Date: Mon, 24 Nov 2025 14:30:36 +0000 [thread overview]
Message-ID: <20251124143036.4113886-5-peter.maydell@linaro.org> (raw)
In-Reply-To: <20251124143036.4113886-1-peter.maydell@linaro.org>
In fimd_update_memory_section() we attempt ot find and map part of
the RAM MR which backs the framebuffer, based on guest-configurable
size and start address.
If the guest configures framebuffer settings which result in a
zero-sized framebuffer, we hit an assertion(), because
memory_region_find() will return a NULL mem_section.mr.
Explicitly check for the zero-size case and treat this as a
guest error.
Because we now have a code path which can reach error_return without
calling memory_region_find to set w->mem_section, we must NULL out
w->mem_section.mr after the unref of the old MR, so that error_return
does not incorrectly double-unref the old MR.
Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1407
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20251107143913.1341358-1-peter.maydell@linaro.org
---
hw/display/exynos4210_fimd.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/hw/display/exynos4210_fimd.c b/hw/display/exynos4210_fimd.c
index 6b1eb43987c..49c180fec0c 100644
--- a/hw/display/exynos4210_fimd.c
+++ b/hw/display/exynos4210_fimd.c
@@ -1146,6 +1146,13 @@ static void fimd_update_memory_section(Exynos4210fimdState *s, unsigned win)
if (w->mem_section.mr) {
memory_region_set_log(w->mem_section.mr, false, DIRTY_MEMORY_VGA);
memory_region_unref(w->mem_section.mr);
+ w->mem_section.mr = NULL;
+ }
+
+ if (w->fb_len == 0) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "FIMD: Guest config means framebuffer is zero length\n");
+ goto error_return;
}
w->mem_section = memory_region_find(s->fbmem, fb_start_addr, w->fb_len);
--
2.43.0
next prev parent reply other threads:[~2025-11-24 14:31 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-24 14:30 [PULL 0/4] target-arm queue Peter Maydell
2025-11-24 14:30 ` [PULL 1/4] hw/arm/Kconfig: Exclude imx8mp-evk machine from KVM-only build Peter Maydell
2025-11-24 14:30 ` [PULL 2/4] hw/display/exynos4210_fimd: Remove duplicated definition Peter Maydell
2025-11-24 14:30 ` [PULL 3/4] hw/arm/armv7m: Disable reentrancy guard for v7m_sysreg_ns_ops MRs Peter Maydell
2025-11-24 14:30 ` Peter Maydell [this message]
2025-11-24 18:37 ` [PULL 0/4] target-arm queue Richard Henderson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251124143036.4113886-5-peter.maydell@linaro.org \
--to=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).