diff options
| author | Paolo Bonzini <pbonzini@redhat.com> | 2017-01-29 12:00:59 +0100 |
|---|---|---|
| committer | Paolo Bonzini <pbonzini@redhat.com> | 2017-02-16 14:06:56 +0100 |
| commit | 43d70ddf9f96b3ad037abe4d5f9f2768196b8c92 (patch) | |
| tree | 30df0ebeb3cac4120ade0cb8a0bbb152e58d058f /include/exec/exec-all.h | |
| parent | d9ff1d35c5242d73e7923ae259e065739090db54 (diff) | |
| download | focaccia-qemu-43d70ddf9f96b3ad037abe4d5f9f2768196b8c92.tar.gz focaccia-qemu-43d70ddf9f96b3ad037abe4d5f9f2768196b8c92.zip | |
cpu-exec: fix icount out-of-bounds access
When icount is active, tb_add_jump is surprisingly called with an out of bounds basic block index. I have no idea how that can work, but it does not seem like a good idea. Clear *last_tb for all TB_EXIT_ICOUNT_EXPIRED cases, even when all you have to do is refill icount_extra. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'include/exec/exec-all.h')
| -rw-r--r-- | include/exec/exec-all.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h index bbc9478a50..21ab7bf3fd 100644 --- a/include/exec/exec-all.h +++ b/include/exec/exec-all.h @@ -318,6 +318,7 @@ static inline void tb_set_jmp_target(TranslationBlock *tb, static inline void tb_add_jump(TranslationBlock *tb, int n, TranslationBlock *tb_next) { + assert(n < ARRAY_SIZE(tb->jmp_list_next)); if (tb->jmp_list_next[n]) { /* Another thread has already done this while we were * outside of the lock; nothing to do in this case */ |