Commit a67ec6ee authored by Peter Maydell's avatar Peter Maydell
Browse files

Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-2.9-20170329' into staging 



ppc patch queue for 2017-03-29

Two more bugfixes of sufficient severity to warrant going into 2.9.

# gpg: Signature made Wed 29 Mar 2017 04:33:19 BST
# gpg:                using RSA key 0x6C38CACA20D9B392
# gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>"
# gpg:                 aka "David Gibson (Red Hat) <dgibson@redhat.com>"
# gpg:                 aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>"
# gpg:                 aka "David Gibson (kernel.org) <dwg@kernel.org>"
# Primary key fingerprint: 75F4 6586 AE61 A66C C44E  87DC 6C38 CACA 20D9 B392

* remotes/dgibson/tags/ppc-for-2.9-20170329:
  spapr: fix memory hot-unplugging
  spapr: fix buffer-overflow

Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
parents e68dd684 fe6824d1

hw/ppc/spapr.c

+2 −2
Original line number Diff line number Diff line
@@ -1524,16 +1524,16 @@ static void htab_save_first_pass(QEMUFile *f, sPAPRMachineState *spapr, 
        /* Consume invalid HPTEs */

        while ((index < htabslots)

               && !HPTE_VALID(HPTE(spapr->htab, index))) {

            index++;

            CLEAN_HPTE(HPTE(spapr->htab, index));

            index++;

        }



        /* Consume valid HPTEs */

        chunkstart = index;

        while ((index < htabslots) && (index - chunkstart < USHRT_MAX)

               && HPTE_VALID(HPTE(spapr->htab, index))) {

            index++;

            CLEAN_HPTE(HPTE(spapr->htab, index));

            index++;

        }



        if (index > chunkstart) {

hw/ppc/spapr_drc.c

+17 −3
Original line number Diff line number Diff line
@@ -135,6 +135,17 @@ static uint32_t set_allocation_state(sPAPRDRConnector *drc, 
        if (!drc->dev) {

            return RTAS_OUT_NO_SUCH_INDICATOR;

        }

        if (drc->awaiting_release && drc->awaiting_allocation) {

            /* kernel is acknowledging a previous hotplug event

             * while we are already removing it.

             * it's safe to ignore awaiting_allocation here since we know the

             * situation is predicated on the guest either already having done

             * so (boot-time hotplug), or never being able to acquire in the

             * first place (hotplug followed by immediate unplug).

             */

            drc->awaiting_allocation_skippable = true;

            return RTAS_OUT_NO_SUCH_INDICATOR;

        }

    }



    if (drc->type != SPAPR_DR_CONNECTOR_TYPE_PCI) {
@@ -436,10 +447,12 @@ static void detach(sPAPRDRConnector *drc, DeviceState *d, 
    }



    if (drc->awaiting_allocation) {

        if (!drc->awaiting_allocation_skippable) {

            drc->awaiting_release = true;

            trace_spapr_drc_awaiting_allocation(get_index(drc));

            return;

        }

    }



    drc->indicator_state = SPAPR_DR_INDICATOR_STATE_INACTIVE;
@@ -448,6 +461,7 @@ static void detach(sPAPRDRConnector *drc, DeviceState *d, 
    }



    drc->awaiting_release = false;

    drc->awaiting_allocation_skippable = false;

    g_free(drc->fdt);

    drc->fdt = NULL;

    drc->fdt_start_offset = 0;

include/hw/ppc/spapr_drc.h

+1 −0
Original line number Diff line number Diff line
@@ -154,6 +154,7 @@ typedef struct sPAPRDRConnector { 
    bool awaiting_release;

    bool signalled;

    bool awaiting_allocation;

    bool awaiting_allocation_skippable;



    /* device pointer, via link property */

    DeviceState *dev;