On 11/27/2014 05:08 PM, Fam Zheng wrote:
> On Thu, 11/27 13:59, Jason Wang wrote:
>> > virtio_net_handle_ctrl() and other functions that process control vq
>> > request call iov_discard_front() which will shorten the iov. This will
>> > lead unmapping in virtqueue_push() leaks mapping.
>> >
>> > Fixes this by keeping the original iov untouched and using a temp variable
>> > in those functions.
>> >
>> > Cc: Wen Congyang <we...@cn.fujitsu.com>
>> > Cc: Stefano Stabellini <stefano.stabell...@eu.citrix.com>
>> > Cc: qemu-sta...@nongnu.org
>> > Signed-off-by: Jason Wang <jasow...@redhat.com>
>> > ---
>> > hw/net/virtio-net.c | 9 +++++++--
>> > 1 file changed, 7 insertions(+), 2 deletions(-)
>> >
>> > diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
>> > index 9b88775..fdb4edd 100644
>> > --- a/hw/net/virtio-net.c
>> > +++ b/hw/net/virtio-net.c
>> > @@ -798,7 +798,7 @@ static void virtio_net_handle_ctrl(VirtIODevice *vdev,
>> > VirtQueue *vq)
>> > virtio_net_ctrl_ack status = VIRTIO_NET_ERR;
>> > VirtQueueElement elem;
>> > size_t s;
>> > - struct iovec *iov;
>> > + struct iovec *iov, *iov2;
>> > unsigned int iov_cnt;
>> >
>> > while (virtqueue_pop(vq, &elem)) {
>> > @@ -808,8 +808,12 @@ static void virtio_net_handle_ctrl(VirtIODevice
>> > *vdev, VirtQueue *vq)
>> > exit(1);
>> > }
>> >
>> > - iov = elem.out_sg;
>> > iov_cnt = elem.out_num;
>> > + s = sizeof(struct iovec) * elem.out_num;
>> > + iov = g_malloc(s);
>> > + memcpy(iov, elem.out_sg, s);
> This could be
>
> iov = g_memdup(elem.out_sg, sizeof(struct iovect) * elem.out_num);
>
> Fam
>
Right, will post V2.
Thanks
