From mboxrd@z Thu Jan  1 00:00:00 1970
From: Beth Kon <eak@us.ibm.com>
Subject: [PATCH 2/2] Clean up RSDT Table Creation
Date: Fri, 15 May 2009 23:16:40 -0400
Message-ID: <1242443800-22686-2-git-send-email-eak@us.ibm.com>
References: <1242443800-22686-1-git-send-email-eak@us.ibm.com>
Cc: kvm@vger.kernel.org, mtosatti@redhat.com,
	vincent@vincent-minet.net, gleb@redhat.com, anthony@codemonkey.ws,
	Beth Kon <eak@us.ibm.com>
To: avi@redhat.com
Return-path: <kvm-owner@vger.kernel.org>
Received: from e8.ny.us.ibm.com ([32.97.182.138]:43950 "EHLO e8.ny.us.ibm.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1755435AbZEPDPj (ORCPT <rfc822;kvm@vger.kernel.org>);
	Fri, 15 May 2009 23:15:39 -0400
Received: from d01relay02.pok.ibm.com (d01relay02.pok.ibm.com [9.56.227.234])
	by e8.ny.us.ibm.com (8.13.1/8.13.1) with ESMTP id n4G35iO9024859
	for <kvm@vger.kernel.org>; Fri, 15 May 2009 23:05:44 -0400
Received: from d01av04.pok.ibm.com (d01av04.pok.ibm.com [9.56.224.64])
	by d01relay02.pok.ibm.com (8.13.8/8.13.8/NCO v9.2) with ESMTP id n4G3Feg4229966
	for <kvm@vger.kernel.org>; Fri, 15 May 2009 23:15:40 -0400
Received: from d01av04.pok.ibm.com (loopback [127.0.0.1])
	by d01av04.pok.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id n4G3FeWT010526
	for <kvm@vger.kernel.org>; Fri, 15 May 2009 23:15:40 -0400
In-Reply-To: <1242443800-22686-1-git-send-email-eak@us.ibm.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

This patch is also based on the patch by Vincent Minet. It corrects the size
calculation of the RSDT, and checks for overflow of MAX_RSDT_ENTRIES, 
assuming that the external table entry count is contained within
MAX_RSDT_ENTRIES.

Signed-off-by: Beth Kon <eak@us.ibm.com>

diff --git a/kvm/bios/rombios32.c b/kvm/bios/rombios32.c
index 7f62e4f..ac8f9c5 100755
--- a/kvm/bios/rombios32.c
+++ b/kvm/bios/rombios32.c
@@ -1626,7 +1626,7 @@ void acpi_bios_init(void)
     addr = base_addr = ram_size - ACPI_DATA_SIZE;
     rsdt_addr = addr;
     rsdt = (void *)(addr);
-    rsdt_size = sizeof(*rsdt) + external_tables * 4;
+    rsdt_size = sizeof(*rsdt);
     addr += rsdt_size;
 
     fadt_addr = addr;
@@ -1873,16 +1873,6 @@ void acpi_bios_init(void)
                              "HPET", sizeof(*hpet), 1);
 #endif
 
-    acpi_additional_tables(); /* resets cfg to required entry */
-    for(i = 0; i < external_tables; i++) {
-        uint16_t len;
-        if(acpi_load_table(i, addr, &len) < 0)
-            BX_PANIC("Failed to load ACPI table from QEMU\n");
-        rsdt->table_offset_entry[nb_rsdt_entries++] = cpu_to_le32(addr);
-        addr += len;
-        if(addr >= ram_size)
-            BX_PANIC("ACPI table overflow\n");
-    }
 #endif
 
     /* RSDT */
@@ -1895,6 +1885,19 @@ void acpi_bios_init(void)
 //  rsdt->table_offset_entry[nb_rsdt_entries++] = cpu_to_le32(hpet_addr);
     if (nb_numa_nodes > 0)
         rsdt->table_offset_entry[nb_rsdt_entries++] = cpu_to_le32(srat_addr);
+    acpi_additional_tables(); /* resets cfg to required entry */
+    /* external_tables load must occur last to 
+     * properly check for MAX_RSDT_ENTRIES overflow.
+     */
+    for(i = 0; i < external_tables; i++) {
+        uint16_t len;
+        if(acpi_load_table(i, addr, &len) < 0)
+            BX_PANIC("Failed to load ACPI table from QEMU\n");
+        rsdt->table_offset_entry[nb_rsdt_entries++] = cpu_to_le32(addr);
+        addr += len;
+        if((addr >= ram_size) || (nb_rsdt_entries > MAX_RSDT_ENTRIES))     
+            BX_PANIC("ACPI table overflow\n");
+    }
 #endif
     rsdt_size -= MAX_RSDT_ENTRIES * 4;
     rsdt_size += nb_rsdt_entries * 4;