ppc patch queue for 2017-03-29

Two more bugfixes of sufficient severity to warrant going into 2.9. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAABCAAGBQJY2yr/AAoJEGw4ysog2bOSANMP/35x0toieCOLosuB3BvaMldV UYjeryjCCu60NoDPLhLq2yy0ANn7tgLLN6F3O5yWiKPorcsmYX3KwIEIKcZHe5DU gNugCsvX83tHOO5r4ocxSQnKUU0fDGDa/4dx016a4Y9zkgMuNK74EYA5+3UDgx9M OynON0gv+VkvfbEkHq517EeNUkMkZNvYk3u8n3a3Y67lL86tU8mgIOwu0awf1sdr VVqKWioq8sTN3YI/09nt66fTkL0pC8DqLIQ0X5cPeo86uhWyXL71ijAIgLxgJ4js lBAIfS5A0WsJjokpLORuC2JbzcYatRhh8bnrBr9YPSLRXl+PhIH9WJsMrYAHpaNx 8ikNZg9mw28tW8UcmtnXfQmpkkic7EfILy8cu1MFFaOqjxUZzyWbi0aVuOa2fXW9 2QpcOT3pD9vJ2U6wRkHt/B3R7He4DMnm/0vfo1paxxb5hd9+VHt46aluGzfQc2Rd 2L79bejXlDImVxKnlgnJ4tPe+Z0Nhn3S8mZQ/QxodcDgsx7cLWxrpc0PWFkagPN1 H8Ug1TG+En78/yX3g8ml3r1hRTZepojsjQLX4JMVpwycKfUBsnH4EG5UbdIFFS5o lgRc+zVloc8E0O9q+RseEIrbbqmIrxiN2ZkIquRdzTn6dVNDO2/bZMhrpRA/X/P0 x1HuvIg8FjhpHlwNsVW8 =DtMn -----END PGP SIGNATURE----- Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-2.9-20170329' into staging ppc patch queue for 2017-03-29 Two more bugfixes of sufficient severity to warrant going into 2.9. # gpg: Signature made Wed 29 Mar 2017 04:33:19 BST # gpg: using RSA key 0x6C38CACA20D9B392 # gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>" # gpg: aka "David Gibson (Red Hat) <dgibson@redhat.com>" # gpg: aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>" # gpg: aka "David Gibson (kernel.org) <dwg@kernel.org>" # Primary key fingerprint: 75F4 6586 AE61 A66C C44E 87DC 6C38 CACA 20D9 B392 * remotes/dgibson/tags/ppc-for-2.9-20170329: spapr: fix memory hot-unplugging spapr: fix buffer-overflow Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2017-03-30 14:53:03 +01:00 · 2017-03-30 14:53:03 +01:00 · a67ec6ee2d
parent e68dd68496 fe6824d126
commit a67ec6ee2d
3 changed files with 20 additions and 5 deletions
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@ -1524,16 +1524,16 @@ static void htab_save_first_pass(QEMUFile *f, sPAPRMachineState *spapr,
        /* Consume invalid HPTEs */
        while ((index < htabslots)
               && !HPTE_VALID(HPTE(spapr->htab, index))) {
-            index++;
            CLEAN_HPTE(HPTE(spapr->htab, index));
+            index++;
        }

        /* Consume valid HPTEs */
        chunkstart = index;
        while ((index < htabslots) && (index - chunkstart < USHRT_MAX)
               && HPTE_VALID(HPTE(spapr->htab, index))) {
-            index++;
            CLEAN_HPTE(HPTE(spapr->htab, index));
+            index++;
        }

        if (index > chunkstart) {
--- a/hw/ppc/spapr_drc.c
+++ b/hw/ppc/spapr_drc.c
@ -135,6 +135,17 @@ static uint32_t set_allocation_state(sPAPRDRConnector *drc,
        if (!drc->dev) {
            return RTAS_OUT_NO_SUCH_INDICATOR;
        }
+        if (drc->awaiting_release && drc->awaiting_allocation) {
+            /* kernel is acknowledging a previous hotplug event
+             * while we are already removing it.
+             * it's safe to ignore awaiting_allocation here since we know the
+             * situation is predicated on the guest either already having done
+             * so (boot-time hotplug), or never being able to acquire in the
+             * first place (hotplug followed by immediate unplug).
+             */
+            drc->awaiting_allocation_skippable = true;
+            return RTAS_OUT_NO_SUCH_INDICATOR;
+        }
    }

    if (drc->type != SPAPR_DR_CONNECTOR_TYPE_PCI) {
@ -436,9 +447,11 @@ static void detach(sPAPRDRConnector *drc, DeviceState *d,
    }

    if (drc->awaiting_allocation) {
-        drc->awaiting_release = true;
-        trace_spapr_drc_awaiting_allocation(get_index(drc));
-        return;
+        if (!drc->awaiting_allocation_skippable) {
+            drc->awaiting_release = true;
+            trace_spapr_drc_awaiting_allocation(get_index(drc));
+            return;
+        }
    }

    drc->indicator_state = SPAPR_DR_INDICATOR_STATE_INACTIVE;
@ -448,6 +461,7 @@ static void detach(sPAPRDRConnector *drc, DeviceState *d,
    }

    drc->awaiting_release = false;
+    drc->awaiting_allocation_skippable = false;
    g_free(drc->fdt);
    drc->fdt = NULL;
    drc->fdt_start_offset = 0;
--- a/include/hw/ppc/spapr_drc.h
+++ b/include/hw/ppc/spapr_drc.h
@ -154,6 +154,7 @@ typedef struct sPAPRDRConnector {
    bool awaiting_release;
    bool signalled;
    bool awaiting_allocation;
+    bool awaiting_allocation_skippable;

    /* device pointer, via link property */
    DeviceState *dev;