Commit cd9244e4 authored by Anthony Liguori's avatar Anthony Liguori
Browse files

Merge remote-tracking branch 'qemu-kvm/fix-vhost-after-memory-listener' into staging 

* qemu-kvm/fix-vhost-after-memory-listener:
  vhost: improve region filtering
  vhost: fix mem_sections memory corruption
  vhost: fix incorrect userspace address
parents 1ddde087 c49450b9

hw/vhost.c

+17 −6
Original line number Diff line number Diff line
@@ -15,6 +15,7 @@ 
#include "hw/hw.h"

#include "range.h"

#include <linux/vhost.h>

#include "exec-memory.h"



static void vhost_dev_sync_region(struct vhost_dev *dev,

                                  MemoryRegionSection *section,
@@ -365,10 +366,6 @@ static void vhost_set_memory(MemoryListener *listener, 
    int r;

    void *ram;



    if (!memory_region_is_ram(section->mr)) {

        return;

    }



    dev->mem = g_realloc(dev->mem, s);



    if (log_dirty) {
@@ -378,7 +375,7 @@ static void vhost_set_memory(MemoryListener *listener, 
    assert(size);



    /* Optimize no-change case. At least cirrus_vga does this a lot at this time. */

    ram = memory_region_get_ram_ptr(section->mr);

    ram = memory_region_get_ram_ptr(section->mr) + section->offset_within_region;

    if (add) {

        if (!vhost_dev_cmp_memory(dev, start_addr, size, (uintptr_t)ram)) {

            /* Region exists with same address. Nothing to do. */
@@ -430,12 +427,22 @@ static void vhost_set_memory(MemoryListener *listener, 
    }

}



static bool vhost_section(MemoryRegionSection *section)

{

    return section->address_space == get_system_memory()

        && memory_region_is_ram(section->mr);

}



static void vhost_region_add(MemoryListener *listener,

                             MemoryRegionSection *section)

{

    struct vhost_dev *dev = container_of(listener, struct vhost_dev,

                                         memory_listener);



    if (!vhost_section(section)) {

        return;

    }



    ++dev->n_mem_sections;

    dev->mem_sections = g_renew(MemoryRegionSection, dev->mem_sections,

                                dev->n_mem_sections);
@@ -450,13 +457,17 @@ static void vhost_region_del(MemoryListener *listener, 
                                         memory_listener);

    int i;



    if (!vhost_section(section)) {

        return;

    }



    vhost_set_memory(listener, section, false);

    for (i = 0; i < dev->n_mem_sections; ++i) {

        if (dev->mem_sections[i].offset_within_address_space

            == section->offset_within_address_space) {

            --dev->n_mem_sections;

            memmove(&dev->mem_sections[i], &dev->mem_sections[i+1],

                    dev->n_mem_sections - i);

                    (dev->n_mem_sections - i) * sizeof(*dev->mem_sections));

            break;

        }

    }