diff options
| author | Peter Maydell <peter.maydell@linaro.org> | 2019-03-26 14:11:00 +0000 |
|---|---|---|
| committer | Peter Maydell <peter.maydell@linaro.org> | 2019-03-26 14:11:00 +0000 |
| commit | 905870b53c031e4350cd1fbfc8d5010d25c8f6f8 (patch) | |
| tree | d3006742d045809e766821eeb145d2988ccf5c42 /hw | |
| parent | 2ef80e14d526f50c4b751d1f15b5ca450d7f997f (diff) | |
| parent | 339534d402524d75209df5d287464e17feb6941f (diff) | |
| download | qemu-905870b53c031e4350cd1fbfc8d5010d25c8f6f8.zip qemu-905870b53c031e4350cd1fbfc8d5010d25c8f6f8.tar.gz qemu-905870b53c031e4350cd1fbfc8d5010d25c8f6f8.tar.bz2 | |
Merge remote-tracking branch 'remotes/kraxel/tags/fixes-20190326-pull-request' into staging
fixes for 4.0: ohci and ati-vga
# gpg: Signature made Tue 26 Mar 2019 14:05:40 GMT
# gpg: using RSA key 4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full]
# gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" [full]
# gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full]
# Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138
* remotes/kraxel/tags/fixes-20190326-pull-request:
ati-vga: Fix indexed access to video memory
ohci: don't die on ED_LINK_LIMIT overflow
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'hw')
| -rw-r--r-- | hw/display/ati.c | 18 | ||||
| -rw-r--r-- | hw/usb/hcd-ohci.c | 7 |
2 files changed, 7 insertions, 18 deletions
diff --git a/hw/display/ati.c b/hw/display/ati.c index 8322f52..db409be 100644 --- a/hw/display/ati.c +++ b/hw/display/ati.c @@ -235,12 +235,9 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size) case MM_DATA ... MM_DATA + 3: /* indexed access to regs or memory */ if (s->regs.mm_index & BIT(31)) { - if (s->regs.mm_index <= s->vga.vram_size - size) { - int i = size - 1; - while (i >= 0) { - val <<= 8; - val |= s->vga.vram_ptr[s->regs.mm_index + i--]; - } + uint32_t idx = s->regs.mm_index & ~BIT(31); + if (idx <= s->vga.vram_size - size) { + val = ldn_le_p(s->vga.vram_ptr + idx, size); } } else { val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size); @@ -434,12 +431,9 @@ static void ati_mm_write(void *opaque, hwaddr addr, case MM_DATA ... MM_DATA + 3: /* indexed access to regs or memory */ if (s->regs.mm_index & BIT(31)) { - if (s->regs.mm_index <= s->vga.vram_size - size) { - int i = 0; - while (i < size) { - s->vga.vram_ptr[s->regs.mm_index + i] = data & 0xff; - data >>= 8; - } + uint32_t idx = s->regs.mm_index & ~BIT(31); + if (idx <= s->vga.vram_size - size) { + stn_le_p(s->vga.vram_ptr + idx, size, data); } } else { ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size); diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c index 196a9f7..81cf5ab 100644 --- a/hw/usb/hcd-ohci.c +++ b/hw/usb/hcd-ohci.c @@ -1200,7 +1200,7 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion) if (head == 0) return 0; - for (cur = head; cur; cur = next_ed) { + for (cur = head; cur && link_cnt++ < ED_LINK_LIMIT; cur = next_ed) { if (ohci_read_ed(ohci, cur, &ed)) { trace_usb_ohci_ed_read_error(cur); ohci_die(ohci); @@ -1209,11 +1209,6 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion) next_ed = ed.next & OHCI_DPTR_MASK; - if (++link_cnt > ED_LINK_LIMIT) { - ohci_die(ohci); - return 0; - } - if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) { uint32_t addr; /* Cancel pending packets for ED that have been paused. */ |