diff mbox series

[29/36] s390x/tcg: Fix length calculation in probe_write_access()

Message ID 20190903160858.5296-30-richard.henderson@linaro.org
State Accepted
Commit 46750128631eaace54b69ddd8b63683edd4606cc
Headers show
Series tcg patch queue | expand

Commit Message

Richard Henderson Sept. 3, 2019, 4:08 p.m. UTC
From: David Hildenbrand <david@redhat.com>


Hm... how did that "-" slip in (-TAGRET_PAGE_SIZE would be correct). This
currently makes us exceed one page in a single probe_write() call,
essentially leaving some memory unchecked.

Fixes: c5a7392cfb96 ("s390x/tcg: Provide probe_write_access helper")
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>

Signed-off-by: David Hildenbrand <david@redhat.com>

Reviewed-by: Cornelia Huck <cohuck@redhat.com>

Message-Id: <20190826075112.25637-3-david@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

---
 target/s390x/mem_helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

-- 
2.17.1
diff mbox series

Patch

diff --git a/target/s390x/mem_helper.c b/target/s390x/mem_helper.c
index 7819aca15d..4b43440e89 100644
--- a/target/s390x/mem_helper.c
+++ b/target/s390x/mem_helper.c
@@ -2623,7 +2623,7 @@  void probe_write_access(CPUS390XState *env, uint64_t addr, uint64_t len,
 #else
     /* test the actual access, not just any access to the page due to LAP */
     while (len) {
-        const uint64_t pagelen = -(addr | -TARGET_PAGE_MASK);
+        const uint64_t pagelen = -(addr | TARGET_PAGE_MASK);
         const uint64_t curlen = MIN(pagelen, len);
 
         probe_write(env, addr, curlen, cpu_mmu_index(env, false), ra);