From: Samuel Mendoza-Jonas <sam...@au1.ibm.com> The n_valid and n_invalid fields are unsigned short integers but it is possible to have more than 65535 entries in a contiguous hunk, overflowing the field. This results in an incorrect HTAB being sent to the destination during migration.
Signed-off-by: Samuel Mendoza-Jonas <sam...@au1.ibm.com> Reviewed-by: Alexey Kardashevskiy <a...@ozlabs.ru> Signed-off-by: Alexander Graf <ag...@suse.de> --- hw/ppc/spapr.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c index 869b721..765a44c 100644 --- a/hw/ppc/spapr.c +++ b/hw/ppc/spapr.c @@ -1065,7 +1065,7 @@ static void htab_save_first_pass(QEMUFile *f, sPAPREnvironment *spapr, /* Consume valid HPTEs */ chunkstart = index; - while ((index < htabslots) + while ((index < htabslots) && (index - chunkstart < USHRT_MAX) && HPTE_VALID(HPTE(spapr->htab, index))) { index++; CLEAN_HPTE(HPTE(spapr->htab, index)); @@ -1117,7 +1117,7 @@ static int htab_save_later_pass(QEMUFile *f, sPAPREnvironment *spapr, chunkstart = index; /* Consume valid dirty HPTEs */ - while ((index < htabslots) + while ((index < htabslots) && (index - chunkstart < USHRT_MAX) && HPTE_DIRTY(HPTE(spapr->htab, index)) && HPTE_VALID(HPTE(spapr->htab, index))) { CLEAN_HPTE(HPTE(spapr->htab, index)); @@ -1127,7 +1127,7 @@ static int htab_save_later_pass(QEMUFile *f, sPAPREnvironment *spapr, invalidstart = index; /* Consume invalid dirty HPTEs */ - while ((index < htabslots) + while ((index < htabslots) && (index - invalidstart < USHRT_MAX) && HPTE_DIRTY(HPTE(spapr->htab, index)) && !HPTE_VALID(HPTE(spapr->htab, index))) { CLEAN_HPTE(HPTE(spapr->htab, index)); -- 1.8.1.4