Commit dfe732fb authored by Peter Maydell's avatar Peter Maydell
Browse files

Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into staging 



# gpg: Signature made Tue 27 Mar 2018 05:56:19 BST
# gpg:                using RSA key 7DEF8106AAFC390E
# gpg: Good signature from "John Snow (John Huston) <jsnow@redhat.com>"
# Primary key fingerprint: FAEB 9711 A12C F475 812F  18F2 88A9 064D 1835 61EB
#      Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76  CBD0 7DEF 8106 AAFC 390E

* remotes/jnsnow/tags/ide-pull-request:
  macio: fix NULL pointer dereference when issuing IDE trim
  ide: fix invalid TRIM range abortion for macio

Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
parents 62d02896 eb69953e

hw/ide/core.c

+9 −8
Original line number Diff line number Diff line
@@ -402,7 +402,6 @@ typedef struct TrimAIOCB { 
    QEMUIOVector *qiov;

    BlockAIOCB *aiocb;

    int i, j;

    bool is_invalid;

} TrimAIOCB;



static void trim_aio_cancel(BlockAIOCB *acb)
@@ -430,11 +429,8 @@ static void ide_trim_bh_cb(void *opaque) 
{

    TrimAIOCB *iocb = opaque;



    if (iocb->is_invalid) {

        ide_dma_error(iocb->s);

    } else {

    iocb->common.cb(iocb->common.opaque, iocb->ret);

    }



    qemu_bh_delete(iocb->bh);

    iocb->bh = NULL;

    qemu_aio_unref(iocb);
@@ -462,7 +458,7 @@ static void ide_issue_trim_cb(void *opaque, int ret) 
                }



                if (!ide_sect_range_ok(s, sector, count)) {

                    iocb->is_invalid = true;

                    iocb->ret = -EINVAL;

                    goto done;

                }
@@ -502,7 +498,6 @@ BlockAIOCB *ide_issue_trim( 
    iocb->qiov = qiov;

    iocb->i = -1;

    iocb->j = 0;

    iocb->is_invalid = false;

    ide_issue_trim_cb(iocb, 0);

    return &iocb->common;

}
@@ -848,6 +843,12 @@ static void ide_dma_cb(void *opaque, int ret) 
    if (ret == -ECANCELED) {

        return;

    }



    if (ret == -EINVAL) {

        ide_dma_error(s);

        return;

    }



    if (ret < 0) {

        if (ide_handle_rw_error(s, -ret, ide_dma_cmd_to_retry(s->dma_cmd))) {

            s->bus->dma->aiocb = NULL;

hw/ide/macio.c

+1 −1
Original line number Diff line number Diff line
@@ -187,7 +187,7 @@ static void pmac_ide_transfer_cb(void *opaque, int ret) 
        break;

    case IDE_DMA_TRIM:

        s->bus->dma->aiocb = dma_blk_io(blk_get_aio_context(s->blk), &s->sg,

                                        offset, 0x1, ide_issue_trim, s->blk,

                                        offset, 0x1, ide_issue_trim, s,

                                        pmac_ide_transfer_cb, io,

                                        DMA_DIRECTION_TO_DEVICE);

        break;