Dev news

Commit 536b4746a3 for qemu.org

commit 536b4746a33ea1b009b0a96eb0710786735948f6
Author: Junjie Cao <junjie.cao@intel.com>
Date:   Wed Apr 15 05:35:23 2026 +0800

    ati-vga: mask out lock bit from CUR_OFFSET in cursor offset calculation

    Bit 31 of CUR_OFFSET is the cursor lock bit, not part of the actual
    cursor address (bits 26:4).  Although the callers already check for the
    lock bit and return early, mask it out with 0x07fffff0 when computing
    the cursor source offset so the calculation only uses the address bits.

    Suggested-by: BALATON Zoltan <balaton@eik.bme.hu>
    Signed-off-by: Junjie Cao <junjie.cao@intel.com>
    Reviewed-by: BALATON Zoltan <balaton@eik.bme.hu>
    Message-ID: <20260414213523.1125859-2-junjie.cao@intel.com>
    Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

diff --git a/hw/display/ati.c b/hw/display/ati.c
index 0489995d00..3a7d45a882 100644
--- a/hw/display/ati.c
+++ b/hw/display/ati.c
@@ -147,7 +147,7 @@ static void ati_cursor_define(ATIVGAState *s)
         return; /* Do not update cursor if locked or rendered by guest */
     }
     /* FIXME handle cur_hv_offs correctly */
-    srcoff = s->regs.cur_offset - (s->regs.cur_hv_offs >> 16) -
+    srcoff = (s->regs.cur_offset & 0x07fffff0) - (s->regs.cur_hv_offs >> 16) -
              (s->regs.cur_hv_offs & 0xffff) * 16;
     if (srcoff > s->vga.vram_size - 64 * 16) {
         return;
@@ -176,13 +176,15 @@ static void ati_cursor_invalidate(VGACommonState *vga)
     if (s->cursor_size != size ||
         vga->hw_cursor_x != s->regs.cur_hv_pos >> 16 ||
         vga->hw_cursor_y != (s->regs.cur_hv_pos & 0xffff) ||
-        s->cursor_offset != s->regs.cur_offset - (s->regs.cur_hv_offs >> 16) -
+        s->cursor_offset != (s->regs.cur_offset & 0x07fffff0) -
+        (s->regs.cur_hv_offs >> 16) -
         (s->regs.cur_hv_offs & 0xffff) * 16) {
         /* Remove old cursor then update and show new one if needed */
         vga_invalidate_scanlines(vga, vga->hw_cursor_y, vga->hw_cursor_y + 63);
         vga->hw_cursor_x = s->regs.cur_hv_pos >> 16;
         vga->hw_cursor_y = s->regs.cur_hv_pos & 0xffff;
-        s->cursor_offset = s->regs.cur_offset - (s->regs.cur_hv_offs >> 16) -
+        s->cursor_offset = (s->regs.cur_offset & 0x07fffff0) -
+                           (s->regs.cur_hv_offs >> 16) -
                            (s->regs.cur_hv_offs & 0xffff) * 16;
         s->cursor_size = size;
         if (size) {