7a16948063
- ppc/xive: Fix ESB length overflow on 32-bit hosts - target/hppa: Fix PSW V-bit packaging in cpu_hppa_get for hppa64 - target/ppc: Fix migration of CPUs with TLB_EMB TLB type - target/arm: Clear high SVE elements in handle_vec_simd_wshli - module: Prevent crash by resetting local_err in module_load_qom_all() - tests/docker: update debian i686 and mipsel images to bookworm - target/arm: Fix SVE SDOT/UDOT/USDOT (4-way, indexed) - docs/sphinx/depfile.py: Handle env.doc2path() returning a Path not a str - block/blkio: use FUA flag on write zeroes only if supported - virtio-pci: Fix the use of an uninitialized irqfd - hw/cxl: Ensure there is enough data to read the input header in cmd_get_physical_port_state() - intel_iommu: Send IQE event when setting reserved bit in IQT_TAIL - virtio-net: Avoid indirection_table_mask overflow - Fix calculation of minimum in colo_compare_tcp - target/riscv/csr.c: Fix an access to VXSAT - linux-user: Clean up unused header - raw-format: Fix error message for invalid offset/size - hw/loongarch/virt: Remove unnecessary 'cpu.h' inclusion - tests: Wait for migration completion on destination QEMU to avoid failures - acpi: ged: Add macro for acpi sleep control register - hw/intc/openpic: Improve errors for out of bounds property values - hw/pci-bridge: Add a Kconfig switch for the normal PCI bridge - docs/tools/qemu-img.rst: fix typo (sumarizes) - audio/pw: Report more accurate error when connecting to PipeWire fails - audio/pw: Report more accurate error when connecting to PipeWire fails - dma: Fix function names in documentation Ensure the function names match. - edu: fix DMA range upper bound check - platform-bus: fix refcount leak - hw/net/can/sja1000: fix bug for single acceptance filter and standard frame - tests/avocado: fix typo in replay_linux - util/userfaultfd: Remove unused uffd_poll_events - Consider discard option when writing zeros - crypto: factor out conversion of QAPI to gcrypt constants - crypto: drop gnutls debug logging support - crypto: use consistent error reporting pattern for unsupported cipher modes - hw/gpio/aspeed_gpio: Avoid shift into sign bit Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com> (cherry picked from commit b6e04df301d30895427ab41a1edff0f40149bdd9)
70 lines
2.3 KiB
Diff
70 lines
2.3 KiB
Diff
From c73b18ef8f2dd15934d90f65ba825bef19d11f73 Mon Sep 17 00:00:00 2001
|
|
From: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
|
|
Date: Thu, 7 Nov 2024 22:07:23 -0500
|
|
Subject: [PATCH] ppc/xive: Fix ESB length overflow on 32-bit hosts
|
|
|
|
cheery-pick from 07f2770503e24889720028ddf9ef54788ddf3b6d
|
|
|
|
The length of this region can be > 32-bits, which overflows size_t on
|
|
32-bit hosts. Change to uint64_t.
|
|
|
|
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
|
|
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
|
|
---
|
|
hw/intc/spapr_xive_kvm.c | 4 ++--
|
|
hw/intc/xive.c | 2 +-
|
|
include/hw/ppc/xive.h | 2 +-
|
|
3 files changed, 4 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/hw/intc/spapr_xive_kvm.c b/hw/intc/spapr_xive_kvm.c
|
|
index 5789062379..7a86197fc9 100644
|
|
--- a/hw/intc/spapr_xive_kvm.c
|
|
+++ b/hw/intc/spapr_xive_kvm.c
|
|
@@ -720,7 +720,7 @@ int kvmppc_xive_connect(SpaprInterruptController *intc, uint32_t nr_servers,
|
|
{
|
|
SpaprXive *xive = SPAPR_XIVE(intc);
|
|
XiveSource *xsrc = &xive->source;
|
|
- size_t esb_len = xive_source_esb_len(xsrc);
|
|
+ uint64_t esb_len = xive_source_esb_len(xsrc);
|
|
size_t tima_len = 4ull << TM_SHIFT;
|
|
CPUState *cs;
|
|
int fd;
|
|
@@ -824,7 +824,7 @@ void kvmppc_xive_disconnect(SpaprInterruptController *intc)
|
|
{
|
|
SpaprXive *xive = SPAPR_XIVE(intc);
|
|
XiveSource *xsrc;
|
|
- size_t esb_len;
|
|
+ uint64_t esb_len;
|
|
|
|
assert(xive->fd != -1);
|
|
|
|
diff --git a/hw/intc/xive.c b/hw/intc/xive.c
|
|
index a3585593d8..0cfc172dd4 100644
|
|
--- a/hw/intc/xive.c
|
|
+++ b/hw/intc/xive.c
|
|
@@ -1238,7 +1238,7 @@ static void xive_source_reset(void *dev)
|
|
static void xive_source_realize(DeviceState *dev, Error **errp)
|
|
{
|
|
XiveSource *xsrc = XIVE_SOURCE(dev);
|
|
- size_t esb_len = xive_source_esb_len(xsrc);
|
|
+ uint64_t esb_len = xive_source_esb_len(xsrc);
|
|
|
|
assert(xsrc->xive);
|
|
|
|
diff --git a/include/hw/ppc/xive.h b/include/hw/ppc/xive.h
|
|
index f120874e0f..00023c0233 100644
|
|
--- a/include/hw/ppc/xive.h
|
|
+++ b/include/hw/ppc/xive.h
|
|
@@ -218,7 +218,7 @@ static inline bool xive_source_esb_has_2page(XiveSource *xsrc)
|
|
xsrc->esb_shift == XIVE_ESB_4K_2PAGE;
|
|
}
|
|
|
|
-static inline size_t xive_source_esb_len(XiveSource *xsrc)
|
|
+static inline uint64_t xive_source_esb_len(XiveSource *xsrc)
|
|
{
|
|
return (1ull << xsrc->esb_shift) * xsrc->nr_irqs;
|
|
}
|
|
--
|
|
2.41.0.windows.1
|
|
|