From patchwork Thu Sep 7 08:50:15 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: yurade X-Patchwork-Id: 30152 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7089AEE14D3 for ; Thu, 7 Sep 2023 08:50:47 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.8723.1694076638210861491 for ; Thu, 07 Sep 2023 01:50:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=BYlp6KUL; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=7614fa9128=yogita.urade@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.22/8.17.1.22) with ESMTP id 3878A2dP027155 for ; Thu, 7 Sep 2023 01:50:38 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding:content-type; s=PPS06212021; bh=KgOFX YK1SQv0+OHy87DLElUhB4E/f9JX9HNL7fnf1Xc=; b=BYlp6KUL+RGwL0Dhw2mPZ FETmR9kdM07d+3XuNm7FQY3Gp7f8U9HpIbaDxl+lJEVly58irgkYnYhBCbCr9oRO +MjeG6He33yR6CFRBmgsUb/mWOBpTU+mNd4TYxgctxdkE/XK8/0eOGjfakfMl4JR L7maOO0LsqKRNgoqMwrhwvlFBXLi8pqZ0tN6yaM/KbqmE9MU+QcQB6IzvdYTcaef KNkO1qaMKgbyhYE9fJxp7Bq9Rf67ELaWoa4zKkuJlbKKxtdzS0BwVGQfXJ6Tcrhw WBTXAkVG+Z89oJLieAW3r8DT0TUSHpaRN+ttSaTvqKkseBFIVENOFMwbprM0n7Dd Q== Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3sv4jg43y1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 07 Sep 2023 01:50:37 -0700 (PDT) Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.27; Thu, 7 Sep 2023 01:50:35 -0700 From: yurade To: CC: Subject: [OE-core][kirkstone][PATCH 1/2] qemu: fix CVE-2023-0330 Date: Thu, 7 Sep 2023 08:50:15 +0000 Message-ID: <20230907085016.2818537-1-yogita.urade@windriver.com> X-Mailer: git-send-email 2.40.0 MIME-Version: 1.0 X-Originating-IP: [147.11.136.210] X-ClientProxiedBy: ala-exchng01.corp.ad.wrs.com (147.11.82.252) To ala-exchng01.corp.ad.wrs.com (147.11.82.252) X-Proofpoint-ORIG-GUID: dZX9avmCVCA_9B_U8UIJ44WoYr8700Qp X-Proofpoint-GUID: dZX9avmCVCA_9B_U8UIJ44WoYr8700Qp X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.601,FMLib:17.11.176.26 definitions=2023-09-07_01,2023-09-05_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 mlxlogscore=999 priorityscore=1501 phishscore=0 spamscore=0 clxscore=1015 suspectscore=0 impostorscore=0 lowpriorityscore=0 mlxscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2308100000 definitions=main-2309070076 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 07 Sep 2023 08:50:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/187365 From: Yogita Urade A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack overflow or use-after-free. Summary of the problem from Peter Maydell: https://lore.kernel.org/qemu-devel/CAFEAcA_23vc7hE3iaM-JVA6W38LK4hJoWae5KcknhPRD5fPBZA@mail.gmail.com Reference: https://gitlab.com/qemu-project/qemu/-/issues/556 qemu.git$ git log --no-merges --oneline --grep CVE-2023-0330 b987718bbb hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI controller (CVE-2023-0330) a2e1753b80 memory: prevent dma-reentracy issues Included second commit as well as commit log of a2e1753b80 says it resolves CVE-2023-0330 Signed-off-by: Yogita Urade --- meta/recipes-devtools/qemu/qemu.inc | 3 +- ...-2023-0330.patch => CVE-2023-0330_1.patch} | 0 .../qemu/qemu/CVE-2023-0330_2.patch | 136 ++++++++++++++++++ 3 files changed, 138 insertions(+), 1 deletion(-) rename meta/recipes-devtools/qemu/qemu/{CVE-2023-0330.patch => CVE-2023-0330_1.patch} (100%) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index d77c376bb6..15c7465308 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -93,7 +93,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2022-4144.patch \ file://0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch \ file://0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \ - file://CVE-2023-0330.patch \ + file://CVE-2023-0330_1.patch \ + file://CVE-2023-0330_2.patch \ file://CVE-2023-3301.patch \ file://CVE-2023-3255.patch \ file://CVE-2023-2861.patch \ diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_1.patch similarity index 100% rename from meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch rename to meta/recipes-devtools/qemu/qemu/CVE-2023-0330_1.patch diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch new file mode 100644 index 0000000000..a45ee0490a --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch @@ -0,0 +1,136 @@ +From a2e1753b8054344f32cf94f31c6399a58794a380 Mon Sep 17 00:00:00 2001 +From: Alexander Bulekov +Date: Fri, 11 Aug 2023 07:41:04 +0000 +Subject: [PATCH] memory: prevent dma-reentracy issues + +Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA. +This flag is set/checked prior to calling a device's MemoryRegion +handlers, and set when device code initiates DMA. The purpose of this +flag is to prevent two types of DMA-based reentrancy issues: + +1.) mmio -> dma -> mmio case +2.) bh -> dma write -> mmio case + +These issues have led to problems such as stack-exhaustion and +use-after-frees. + +Summary of the problem from Peter Maydell: +https://lore.kernel.org/qemu-devel/CAFEAcA_23vc7hE3iaM-JVA6W38LK4hJoWae5KcknhPRD5fPBZA@mail.gmail.com + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/62 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/540 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/541 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/556 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/557 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/827 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282 +Resolves: CVE-2023-0330 + +Signed-off-by: Alexander Bulekov +Reviewed-by: Thomas Huth +Message-Id: <20230427211013.2994127-2-alxndr@bu.edu> +[thuth: Replace warn_report() with warn_report_once()] +Signed-off-by: Thomas Huth + +CVE: CVE-2023-0330 + +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/a2e1753b8054344f32cf94f31c6399a58794a380] + +Signed-off-by: Yogita Urade +--- + include/exec/memory.h | 5 +++++ + include/hw/qdev-core.h | 7 +++++++ + softmmu/memory.c | 16 ++++++++++++++++ + 3 files changed, 28 insertions(+) + +diff --git a/include/exec/memory.h b/include/exec/memory.h +index 20f1b2737..e089f90f9 100644 +--- a/include/exec/memory.h ++++ b/include/exec/memory.h +@@ -734,6 +734,8 @@ struct MemoryRegion { + bool is_iommu; + RAMBlock *ram_block; + Object *owner; ++ /* owner as TYPE_DEVICE. Used for re-entrancy checks in MR access hotpath */ ++ DeviceState *dev; + + const MemoryRegionOps *ops; + void *opaque; +@@ -757,6 +759,9 @@ struct MemoryRegion { + unsigned ioeventfd_nb; + MemoryRegionIoeventfd *ioeventfds; + RamDiscardManager *rdm; /* Only for RAM */ ++ ++ /* For devices designed to perform re-entrant IO into their own IO MRs */ ++ bool disable_reentrancy_guard; + }; + + struct IOMMUMemoryRegion { +diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h +index 20d306659..14226f860 100644 +--- a/include/hw/qdev-core.h ++++ b/include/hw/qdev-core.h +@@ -162,6 +162,10 @@ struct NamedClockList { + QLIST_ENTRY(NamedClockList) node; + }; + ++typedef struct { ++ bool engaged_in_io; ++} MemReentrancyGuard; ++ + /** + * DeviceState: + * @realized: Indicates whether the device has been fully constructed. +@@ -193,6 +197,9 @@ struct DeviceState { + int instance_id_alias; + int alias_required_for_version; + ResettableState reset; ++ ++ /* Is the device currently in mmio/pio/dma? Used to prevent re-entrancy */ ++ MemReentrancyGuard mem_reentrancy_guard; + }; + + struct DeviceListener { +diff --git a/softmmu/memory.c b/softmmu/memory.c +index 7340e19ff..5d0ed6669 100644 +--- a/softmmu/memory.c ++++ b/softmmu/memory.c +@@ -541,6 +541,18 @@ static MemTxResult access_with_adjusted_size(hwaddr addr, + access_size_max = 4; + } + ++ /* Do not allow more than one simultaneous access to a device's IO Regions */ ++ if (mr->dev && !mr->disable_reentrancy_guard && ++ !mr->ram_device && !mr->ram && !mr->rom_device && !mr->readonly) { ++ if (mr->dev->mem_reentrancy_guard.engaged_in_io) { ++ warn_report_once("Blocked re-entrant IO on MemoryRegion: " ++ "%s at addr: 0x%" HWADDR_PRIX, ++ memory_region_name(mr), addr); ++ return MEMTX_ACCESS_ERROR; ++ } ++ mr->dev->mem_reentrancy_guard.engaged_in_io = true; ++ } ++ + /* FIXME: support unaligned access? */ + access_size = MAX(MIN(size, access_size_max), access_size_min); + access_mask = MAKE_64BIT_MASK(0, access_size * 8); +@@ -555,6 +567,9 @@ static MemTxResult access_with_adjusted_size(hwaddr addr, + access_mask, attrs); + } + } ++ if (mr->dev) { ++ mr->dev->mem_reentrancy_guard.engaged_in_io = false; ++ } + return r; + } + +@@ -1169,6 +1184,7 @@ static void memory_region_do_init(MemoryRegion *mr, + } + mr->name = g_strdup(name); + mr->owner = owner; ++ mr->dev = (DeviceState *) object_dynamic_cast(mr->owner, TYPE_DEVICE); + mr->ram_block = NULL; + + if (name) { +-- +2.40.0 From patchwork Thu Sep 7 08:50:16 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: yurade X-Patchwork-Id: 30151 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 71A1CEE14D6 for ; Thu, 7 Sep 2023 08:50:47 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.8556.1694076641175531632 for ; Thu, 07 Sep 2023 01:50:41 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@windriver.com header.s=PPS06212021 header.b=Gbs4AVry; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=7614fa9128=yogita.urade@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.22/8.17.1.22) with ESMTP id 3876o2PM020087 for ; Thu, 7 Sep 2023 08:50:40 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-type:content-transfer-encoding; s= PPS06212021; bh=HG/V8m3belmgeheRCRTtm5pa5LF6mYFkWrXx8eZkpG0=; b= Gbs4AVrygNvF9VqGjjWOLXw+cxJR6+6y/8buMMzh6tVJd9twUTnw4FXwrr2RnJdp weRNiEavUSivKQHOL0r7WgoPnqqJDA145kW2vUb94EKmwJMFB0Bq6Kfd5SFCNJDB na++ndv77FrxqsU/EE96MNNWol9MmDoUnTjpNYciMXeMcwphFMbLRqof1zvmRn0x 96S4m3dgbZIhvR2P889xOMFwTMZ2yx9ry4251cmsbvIywxRi2U+IiDQmcR/5JqoB Dpuk9S4Po026cEzehERycOKOMKAxJnDl8xZBr8AiPWVUN/5Ug78IqgP/eDfdaUJU XXZN7Zhb/fAt6lDyKxjRNQ== Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3suv15vd5a-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 07 Sep 2023 08:50:39 +0000 (GMT) Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.27; Thu, 7 Sep 2023 01:50:37 -0700 From: yurade To: CC: Subject: [OE-core][kirkstone][PATCH 2/2] qemu: fix CVE-2021-3638 Date: Thu, 7 Sep 2023 08:50:16 +0000 Message-ID: <20230907085016.2818537-2-yogita.urade@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20230907085016.2818537-1-yogita.urade@windriver.com> References: <20230907085016.2818537-1-yogita.urade@windriver.com> MIME-Version: 1.0 X-Originating-IP: [147.11.136.210] X-ClientProxiedBy: ala-exchng01.corp.ad.wrs.com (147.11.82.252) To ala-exchng01.corp.ad.wrs.com (147.11.82.252) X-Proofpoint-ORIG-GUID: Oowp5C3oTxXVmBVhfoyqVB-Kd7u3HR-v X-Proofpoint-GUID: Oowp5C3oTxXVmBVhfoyqVB-Kd7u3HR-v X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.957,Hydra:6.0.601,FMLib:17.11.176.26 definitions=2023-09-07_01,2023-09-05_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 priorityscore=1501 lowpriorityscore=0 mlxlogscore=999 bulkscore=0 suspectscore=0 malwarescore=0 adultscore=0 mlxscore=0 impostorscore=0 phishscore=0 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2308100000 definitions=main-2309070076 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-0064b401.pphosted.com id 3876o2PM020087 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 07 Sep 2023 08:50:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/187366 From: Yogita Urade QEMU: ati-vga: inconsistent check in ati_2d_blt() may lead to out-of-bounds write. Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-3638 https://lists.nongnu.org/archive/html/qemu-devel/2021-09/msg01682.html Signed-off-by: Yogita Urade --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-3638.patch | 88 +++++++++++++++++++ 2 files changed, 89 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 15c7465308..cadca6f687 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -101,6 +101,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2020-14394.patch \ file://CVE-2023-3354.patch \ file://CVE-2023-3180.patch \ + file://CVE-2021-3638.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch new file mode 100644 index 0000000000..3cbb34c54c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch @@ -0,0 +1,88 @@ +From 205ccfd7a5ec86bd9a5678b8bd157562fc9a1643 Mon Sep 17 00:00:00 2001 +From: Philippe Mathieu-Daudé +Date: Thu, 10 Aug 2023 07:30:54 +0000 +Subject: [PATCH] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt + (CVE-2021-3638) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 + Content-Transfer-Encoding: 8bit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When building QEMU with DEBUG_ATI defined then running with +'-device ati-vga,romfile="" -d unimp,guest_errors -trace ati\*' +we get: + + ati_mm_write 4 0x16c0 DP_CNTL <- 0x1 + ati_mm_write 4 0x146c DP_GUI_MASTER_CNTL <- 0x2 + ati_mm_write 4 0x16c8 DP_MIX <- 0xff0000 + ati_mm_write 4 0x16c4 DP_DATATYPE <- 0x2 + ati_mm_write 4 0x224 CRTC_OFFSET <- 0x0 + ati_mm_write 4 0x142c DST_PITCH_OFFSET <- 0xfe00000 + ati_mm_write 4 0x1420 DST_Y <- 0x3fff + ati_mm_write 4 0x1410 DST_HEIGHT <- 0x3fff + ati_mm_write 4 0x1588 DST_WIDTH_X <- 0x3fff3fff + ati_2d_blt: vram:0x7fff5fa00000 addr:0 ds:0x7fff61273800 stride:2560 bpp:32 rop:0xff + ati_2d_blt: 0 0 0, 0 127 0, (0,0) -> (16383,16383) 16383x16383 > ^ + ati_2d_blt: pixman_fill(dst:0x7fff5fa00000, stride:254, bpp:8, x:16383, y:16383, w:16383, h:16383, xor:0xff000000) + Thread 3 "qemu-system-i38" received signal SIGSEGV, Segmentation fault. + (gdb) bt + #0 0x00007ffff7f62ce0 in sse2_fill.lto_priv () at /lib64/libpixman-1.so.0 + #1 0x00007ffff7f09278 in pixman_fill () at /lib64/libpixman-1.so.0 + #2 0x0000555557b5a9af in ati_2d_blt (s=0x631000028800) at hw/display/ati_2d.c:196 + #3 0x0000555557b4b5a2 in ati_mm_write (opaque=0x631000028800, addr=5512, data=1073692671, size=4) at hw/display/ati.c:843 + #4 0x0000555558b90ec4 in memory_region_write_accessor (mr=0x631000039cc0, addr=5512, ..., size=4, ...) at softmmu/memory.c:492 + +Commit 584acf34cb0 ("ati-vga: Fix reverse bit blts") introduced +the local dst_x and dst_y which adjust the (x, y) coordinates +depending on the direction in the SRCCOPY ROP3 operation, but +forgot to address the same issue for the PATCOPY, BLACKNESS and +WHITENESS operations, which also call pixman_fill(). + +Fix that now by using the adjusted coordinates in the pixman_fill +call, and update the related debug printf(). + +Reported-by: Qiang Liu +Fixes: 584acf34cb0 ("ati-vga: Fix reverse bit blts") +Signed-off-by: Philippe Mathieu-Daudé +Tested-by: Mauro Matteo Cascella +Message-Id: <20210906153103.1661195-1-philmd@redhat.com> +Signed-off-by: Gerd Hoffmann + +CVE: CVE-2021-3638 + +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/205ccfd7a5ec86bd9a5678b8bd157562fc9a1643] + +Signed-off-by: Yogita Urade +--- + hw/display/ati_2d.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c +index 4dc10ea79..692bec91d 100644 +--- a/hw/display/ati_2d.c ++++ b/hw/display/ati_2d.c +@@ -84,7 +84,7 @@ void ati_2d_blt(ATIVGAState *s) + DPRINTF("%d %d %d, %d %d %d, (%d,%d) -> (%d,%d) %dx%d %c %c\n", + s->regs.src_offset, s->regs.dst_offset, s->regs.default_offset, + s->regs.src_pitch, s->regs.dst_pitch, s->regs.default_pitch, +- s->regs.src_x, s->regs.src_y, s->regs.dst_x, s->regs.dst_y, ++ s->regs.src_x, s->regs.src_y, dst_x, dst_y, + s->regs.dst_width, s->regs.dst_height, + (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? '>' : '<'), + (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? 'v' : '^')); +@@ -180,11 +180,11 @@ void ati_2d_blt(ATIVGAState *s) + dst_stride /= sizeof(uint32_t); + DPRINTF("pixman_fill(%p, %d, %d, %d, %d, %d, %d, %x)\n", + dst_bits, dst_stride, bpp, +- s->regs.dst_x, s->regs.dst_y, ++ dst_x, dst_y, + s->regs.dst_width, s->regs.dst_height, + filler); + pixman_fill((uint32_t *)dst_bits, dst_stride, bpp, +- s->regs.dst_x, s->regs.dst_y, ++ dst_x, dst_y, + s->regs.dst_width, s->regs.dst_height, + filler); + if (dst_bits >= s->vga.vram_ptr + s->vga.vbe_start_addr && +-- +2.40.0