diff options
author | Peter Maydell <peter.maydell@linaro.org> | 2017-03-30 14:53:03 +0100 |
---|---|---|
committer | Peter Maydell <peter.maydell@linaro.org> | 2017-03-30 14:53:03 +0100 |
commit | a67ec6ee2dbb3725f4291f17b5bdca5e086108a7 (patch) | |
tree | 13a69deebdb155ec144500931cd0a1464402b8fb | |
parent | e68dd68496e89a48415e1f088f13d4dd59fe8560 (diff) | |
parent | fe6824d12642b005c69123ecf8631f9b13553f8b (diff) | |
download | qemu-a67ec6ee2dbb3725f4291f17b5bdca5e086108a7.zip qemu-a67ec6ee2dbb3725f4291f17b5bdca5e086108a7.tar.gz qemu-a67ec6ee2dbb3725f4291f17b5bdca5e086108a7.tar.bz2 |
Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-2.9-20170329' into staging
ppc patch queue for 2017-03-29
Two more bugfixes of sufficient severity to warrant going into 2.9.
# gpg: Signature made Wed 29 Mar 2017 04:33:19 BST
# gpg: using RSA key 0x6C38CACA20D9B392
# gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>"
# gpg: aka "David Gibson (Red Hat) <dgibson@redhat.com>"
# gpg: aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>"
# gpg: aka "David Gibson (kernel.org) <dwg@kernel.org>"
# Primary key fingerprint: 75F4 6586 AE61 A66C C44E 87DC 6C38 CACA 20D9 B392
* remotes/dgibson/tags/ppc-for-2.9-20170329:
spapr: fix memory hot-unplugging
spapr: fix buffer-overflow
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-rw-r--r-- | hw/ppc/spapr.c | 4 | ||||
-rw-r--r-- | hw/ppc/spapr_drc.c | 20 | ||||
-rw-r--r-- | include/hw/ppc/spapr_drc.h | 1 |
3 files changed, 20 insertions, 5 deletions
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c index 8aecea3..44c26e4 100644 --- a/hw/ppc/spapr.c +++ b/hw/ppc/spapr.c @@ -1524,16 +1524,16 @@ static void htab_save_first_pass(QEMUFile *f, sPAPRMachineState *spapr, /* Consume invalid HPTEs */ while ((index < htabslots) && !HPTE_VALID(HPTE(spapr->htab, index))) { - index++; CLEAN_HPTE(HPTE(spapr->htab, index)); + index++; } /* Consume valid HPTEs */ chunkstart = index; while ((index < htabslots) && (index - chunkstart < USHRT_MAX) && HPTE_VALID(HPTE(spapr->htab, index))) { - index++; CLEAN_HPTE(HPTE(spapr->htab, index)); + index++; } if (index > chunkstart) { diff --git a/hw/ppc/spapr_drc.c b/hw/ppc/spapr_drc.c index 150f6bf..a1cdc87 100644 --- a/hw/ppc/spapr_drc.c +++ b/hw/ppc/spapr_drc.c @@ -135,6 +135,17 @@ static uint32_t set_allocation_state(sPAPRDRConnector *drc, if (!drc->dev) { return RTAS_OUT_NO_SUCH_INDICATOR; } + if (drc->awaiting_release && drc->awaiting_allocation) { + /* kernel is acknowledging a previous hotplug event + * while we are already removing it. + * it's safe to ignore awaiting_allocation here since we know the + * situation is predicated on the guest either already having done + * so (boot-time hotplug), or never being able to acquire in the + * first place (hotplug followed by immediate unplug). + */ + drc->awaiting_allocation_skippable = true; + return RTAS_OUT_NO_SUCH_INDICATOR; + } } if (drc->type != SPAPR_DR_CONNECTOR_TYPE_PCI) { @@ -436,9 +447,11 @@ static void detach(sPAPRDRConnector *drc, DeviceState *d, } if (drc->awaiting_allocation) { - drc->awaiting_release = true; - trace_spapr_drc_awaiting_allocation(get_index(drc)); - return; + if (!drc->awaiting_allocation_skippable) { + drc->awaiting_release = true; + trace_spapr_drc_awaiting_allocation(get_index(drc)); + return; + } } drc->indicator_state = SPAPR_DR_INDICATOR_STATE_INACTIVE; @@ -448,6 +461,7 @@ static void detach(sPAPRDRConnector *drc, DeviceState *d, } drc->awaiting_release = false; + drc->awaiting_allocation_skippable = false; g_free(drc->fdt); drc->fdt = NULL; drc->fdt_start_offset = 0; diff --git a/include/hw/ppc/spapr_drc.h b/include/hw/ppc/spapr_drc.h index fa531d5..5524247 100644 --- a/include/hw/ppc/spapr_drc.h +++ b/include/hw/ppc/spapr_drc.h @@ -154,6 +154,7 @@ typedef struct sPAPRDRConnector { bool awaiting_release; bool signalled; bool awaiting_allocation; + bool awaiting_allocation_skippable; /* device pointer, via link property */ DeviceState *dev; |