diff options
| author | Peter Maydell <peter.maydell@linaro.org> | 2018-03-27 16:25:12 +0100 |
|---|---|---|
| committer | Peter Maydell <peter.maydell@linaro.org> | 2018-03-27 16:25:12 +0100 |
| commit | dfe732fb68ef9195517f4f380a477d58a054edc1 (patch) | |
| tree | d57175cba00f6a531cc0bf358dceb5b7535d2d12 /hw | |
| parent | 62d0289662746585239fbbf6a8d548f37f5fe6a8 (diff) | |
| parent | eb69953ecb1cbe7b4c4093a97a4dab3daa315d4e (diff) | |
| download | qemu-dfe732fb68ef9195517f4f380a477d58a054edc1.zip qemu-dfe732fb68ef9195517f4f380a477d58a054edc1.tar.gz qemu-dfe732fb68ef9195517f4f380a477d58a054edc1.tar.bz2 | |
Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into staging
# gpg: Signature made Tue 27 Mar 2018 05:56:19 BST
# gpg: using RSA key 7DEF8106AAFC390E
# gpg: Good signature from "John Snow (John Huston) <jsnow@redhat.com>"
# Primary key fingerprint: FAEB 9711 A12C F475 812F 18F2 88A9 064D 1835 61EB
# Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76 CBD0 7DEF 8106 AAFC 390E
* remotes/jnsnow/tags/ide-pull-request:
macio: fix NULL pointer dereference when issuing IDE trim
ide: fix invalid TRIM range abortion for macio
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'hw')
| -rw-r--r-- | hw/ide/core.c | 17 | ||||
| -rw-r--r-- | hw/ide/macio.c | 2 |
2 files changed, 10 insertions, 9 deletions
diff --git a/hw/ide/core.c b/hw/ide/core.c index 139c843..866c659 100644 --- a/hw/ide/core.c +++ b/hw/ide/core.c @@ -402,7 +402,6 @@ typedef struct TrimAIOCB { QEMUIOVector *qiov; BlockAIOCB *aiocb; int i, j; - bool is_invalid; } TrimAIOCB; static void trim_aio_cancel(BlockAIOCB *acb) @@ -430,11 +429,8 @@ static void ide_trim_bh_cb(void *opaque) { TrimAIOCB *iocb = opaque; - if (iocb->is_invalid) { - ide_dma_error(iocb->s); - } else { - iocb->common.cb(iocb->common.opaque, iocb->ret); - } + iocb->common.cb(iocb->common.opaque, iocb->ret); + qemu_bh_delete(iocb->bh); iocb->bh = NULL; qemu_aio_unref(iocb); @@ -462,7 +458,7 @@ static void ide_issue_trim_cb(void *opaque, int ret) } if (!ide_sect_range_ok(s, sector, count)) { - iocb->is_invalid = true; + iocb->ret = -EINVAL; goto done; } @@ -502,7 +498,6 @@ BlockAIOCB *ide_issue_trim( iocb->qiov = qiov; iocb->i = -1; iocb->j = 0; - iocb->is_invalid = false; ide_issue_trim_cb(iocb, 0); return &iocb->common; } @@ -848,6 +843,12 @@ static void ide_dma_cb(void *opaque, int ret) if (ret == -ECANCELED) { return; } + + if (ret == -EINVAL) { + ide_dma_error(s); + return; + } + if (ret < 0) { if (ide_handle_rw_error(s, -ret, ide_dma_cmd_to_retry(s->dma_cmd))) { s->bus->dma->aiocb = NULL; diff --git a/hw/ide/macio.c b/hw/ide/macio.c index 2e043ef..d3a85cb 100644 --- a/hw/ide/macio.c +++ b/hw/ide/macio.c @@ -187,7 +187,7 @@ static void pmac_ide_transfer_cb(void *opaque, int ret) break; case IDE_DMA_TRIM: s->bus->dma->aiocb = dma_blk_io(blk_get_aio_context(s->blk), &s->sg, - offset, 0x1, ide_issue_trim, s->blk, + offset, 0x1, ide_issue_trim, s, pmac_ide_transfer_cb, io, DMA_DIRECTION_TO_DEVICE); break; |