[pve-qemu.git] / debian / patches / extra / 0014-virtio-fix-descriptor-counting-in-virtqueue_pop.patch

From 3474ad551f5ff8c550d388251c9555882d9beb5d Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 19 Sep 2017 14:20:28 +0200
Subject: [PATCH 14/14] virtio: fix descriptor counting in virtqueue_pop

While changing the s/g list allocation, commit 3b3b0628
also changed the descriptor counting to count iovec entries
as split by cpu_physical_memory_map(). Previously only the
actual descriptor entries were counted and the split into
the iovec happened afterwards in virtqueue_map().
Count the entries again instead to avoid erroneous
"Looped descriptor" errors.

Reported-by: Hans Middelhoek <h.middelhoek@ospito.nl>
Link: https://forum.proxmox.com/threads/vm-crash-with-memory-hotplug.35904/
Fixes: 3b3b0628217e ("virtio: slim down allocation of VirtQueueElements")
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 hw/virtio/virtio.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 890b4d7eb7..33bb770177 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -834,7 +834,7 @@ void *virtqueue_pop(VirtQueue *vq, size_t sz)
     int64_t len;
     VirtIODevice *vdev = vq->vdev;
     VirtQueueElement *elem = NULL;
-    unsigned out_num, in_num;
+    unsigned out_num, in_num, elem_entries;
     hwaddr addr[VIRTQUEUE_MAX_SIZE];
     struct iovec iov[VIRTQUEUE_MAX_SIZE];
     VRingDesc desc;
@@ -852,7 +852,7 @@ void *virtqueue_pop(VirtQueue *vq, size_t sz)
     smp_rmb();
 
     /* When we start there are none of either input nor output. */
-    out_num = in_num = 0;
+    out_num = in_num = elem_entries = 0;
 
     max = vq->vring.num;
 
@@ -922,7 +922,7 @@ void *virtqueue_pop(VirtQueue *vq, size_t sz)
         }
 
         /* If we've got too many, that implies a descriptor loop. */
-        if ((in_num + out_num) > max) {
+        if (++elem_entries > max) {
             virtio_error(vdev, "Looped descriptor");
             goto err_undo_map;
         }
-- 
2.11.0
Commit	Line	Data
fb8b489c WB	1	From 3474ad551f5ff8c550d388251c9555882d9beb5d Mon Sep 17 00:00:00 2001
	2	From: Wolfgang Bumiller <w.bumiller@proxmox.com>
	3	Date: Tue, 19 Sep 2017 14:20:28 +0200
	4	Subject: [PATCH 14/14] virtio: fix descriptor counting in virtqueue_pop
	5
	6	While changing the s/g list allocation, commit 3b3b0628
	7	also changed the descriptor counting to count iovec entries
	8	as split by cpu_physical_memory_map(). Previously only the
	9	actual descriptor entries were counted and the split into
	10	the iovec happened afterwards in virtqueue_map().
	11	Count the entries again instead to avoid erroneous
	12	"Looped descriptor" errors.
	13
	14	Reported-by: Hans Middelhoek <h.middelhoek@ospito.nl>
	15	Link: https://forum.proxmox.com/threads/vm-crash-with-memory-hotplug.35904/
	16	Fixes: 3b3b0628217e ("virtio: slim down allocation of VirtQueueElements")
	17	Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
	18	---
	19	hw/virtio/virtio.c \| 6 +++---
	20	1 file changed, 3 insertions(+), 3 deletions(-)
	21
	22	diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
	23	index 890b4d7eb7..33bb770177 100644
	24	--- a/hw/virtio/virtio.c
	25	+++ b/hw/virtio/virtio.c
	26	@@ -834,7 +834,7 @@ void virtqueue_pop(VirtQueue vq, size_t sz)
	27	int64_t len;
	28	VirtIODevice *vdev = vq->vdev;
	29	VirtQueueElement *elem = NULL;
	30	- unsigned out_num, in_num;
	31	+ unsigned out_num, in_num, elem_entries;
	32	hwaddr addr[VIRTQUEUE_MAX_SIZE];
	33	struct iovec iov[VIRTQUEUE_MAX_SIZE];
	34	VRingDesc desc;
	35	@@ -852,7 +852,7 @@ void virtqueue_pop(VirtQueue vq, size_t sz)
	36	smp_rmb();
	37
	38	/* When we start there are none of either input nor output. */
	39	- out_num = in_num = 0;
	40	+ out_num = in_num = elem_entries = 0;
	41
	42	max = vq->vring.num;
	43
	44	@@ -922,7 +922,7 @@ void virtqueue_pop(VirtQueue vq, size_t sz)
	45	}
	46
	47	/* If we've got too many, that implies a descriptor loop. */
	48	- if ((in_num + out_num) > max) {
	49	+ if (++elem_entries > max) {
	50	virtio_error(vdev, "Looped descriptor");
	51	goto err_undo_map;
	52	}
	53	--
	54	2.11.0
	55