spapr: Fix integer overflow during migration (TCG)
The n_valid and n_invalid fields are unsigned short integers but it is possible to have more than 65535 entries in a contiguous hunk, overflowing the field. This results in an incorrect HTAB being sent to the destination during migration. Signed-off-by: Samuel Mendoza-Jonas <sam.mj@au1.ibm.com> Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru> Signed-off-by: Alexander Graf <agraf@suse.de>
This commit is contained in:
parent
01a579729b
commit
338c25b692
@ -1065,7 +1065,7 @@ static void htab_save_first_pass(QEMUFile *f, sPAPREnvironment *spapr,
|
||||
|
||||
/* Consume valid HPTEs */
|
||||
chunkstart = index;
|
||||
while ((index < htabslots)
|
||||
while ((index < htabslots) && (index - chunkstart < USHRT_MAX)
|
||||
&& HPTE_VALID(HPTE(spapr->htab, index))) {
|
||||
index++;
|
||||
CLEAN_HPTE(HPTE(spapr->htab, index));
|
||||
@ -1117,7 +1117,7 @@ static int htab_save_later_pass(QEMUFile *f, sPAPREnvironment *spapr,
|
||||
|
||||
chunkstart = index;
|
||||
/* Consume valid dirty HPTEs */
|
||||
while ((index < htabslots)
|
||||
while ((index < htabslots) && (index - chunkstart < USHRT_MAX)
|
||||
&& HPTE_DIRTY(HPTE(spapr->htab, index))
|
||||
&& HPTE_VALID(HPTE(spapr->htab, index))) {
|
||||
CLEAN_HPTE(HPTE(spapr->htab, index));
|
||||
@ -1127,7 +1127,7 @@ static int htab_save_later_pass(QEMUFile *f, sPAPREnvironment *spapr,
|
||||
|
||||
invalidstart = index;
|
||||
/* Consume invalid dirty HPTEs */
|
||||
while ((index < htabslots)
|
||||
while ((index < htabslots) && (index - invalidstart < USHRT_MAX)
|
||||
&& HPTE_DIRTY(HPTE(spapr->htab, index))
|
||||
&& !HPTE_VALID(HPTE(spapr->htab, index))) {
|
||||
CLEAN_HPTE(HPTE(spapr->htab, index));
|
||||
|
Loading…
Reference in New Issue
Block a user