Merge remote-tracking branch 'qmp/queue/qmp' into staging

* qmp/queue/qmp:
  monitor: assert monitor_puts()'s loop invariant
  target-i386: fix bits 39:32 of the final physical address when using 4M page

Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

2 files changed, 9 insertions, 3 deletions

diff --git a/monitor.c b/monitor.c
index 9cf419bb1d..c6eac608a3 100644
--- a/monitor.c
+++ b/monitor.c
@@ -270,6 +270,7 @@ static void monitor_puts(Monitor *mon, const char *str)
     char c;
 
     for(;;) {
+        assert(mon->outbuf_index < sizeof(mon->outbuf) - 1);
         c = *str++;
         if (c == '\0')
             break;
diff --git a/target-i386/arch_memory_mapping.c b/target-i386/arch_memory_mapping.c
index c6c7874474..844893f44d 100644
--- a/target-i386/arch_memory_mapping.c
+++ b/target-i386/arch_memory_mapping.c
@@ -115,7 +115,7 @@ static void walk_pde2(MemoryMappingList *list,
                       hwaddr pde_start_addr, int32_t a20_mask,
                       bool pse)
 {
-    hwaddr pde_addr, pte_start_addr, start_paddr;
+    hwaddr pde_addr, pte_start_addr, start_paddr, high_paddr;
     uint32_t pde;
     target_ulong line_addr, start_vaddr;
     int i;
@@ -130,8 +130,13 @@ static void walk_pde2(MemoryMappingList *list,
 
         line_addr = (((unsigned int)i & 0x3ff) << 22);
         if ((pde & PG_PSE_MASK) && pse) {
-            /* 4 MB page */
-            start_paddr = (pde & ~0x3fffff) | ((pde & 0x1fe000) << 19);
+            /*
+             * 4 MB page:
+             * bits 39:32 are bits 20:13 of the PDE
+             * bit3 31:22 are bits 31:22 of the PDE
+             */
+            high_paddr = ((hwaddr)(pde & 0x1fe000) << 19);
+            start_paddr = (pde & ~0x3fffff) | high_paddr;
             if (cpu_physical_memory_is_io(start_paddr)) {
                 /* I/O region */
                 continue;