Commit ff3b8b8f authored Nov 25, 2016 by Jan Beulich Committed by Stefano Stabellini Nov 28, 2016

xen: fix quad word bufioreq handling



We should not consume the second slot if it didn't get written yet.
Normal writers - i.e. Xen - would not update write_pointer between the
two writes, but the page may get fiddled with by the guest itself, and
we're better off avoiding to enter an infinite loop in that case.

Reported-by: yanghongke <yanghongke@huawei.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Paul Durrant <paul.durrant@citrix.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>

parent 7875efb9

xen-hvm.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -1021,6 +1021,9 @@ static int handle_buffered_iopage(XenIOState *state)
		xen_rmb();
		qw = (req.size == 8);
		if (qw) {
		if (rdptr + 1 == wrptr) {
		hw_error("Incomplete quad word buffered ioreq");
		}
		buf_req = &buf_page->buf_ioreq[(rdptr + 1) %
		IOREQ_BUFFER_SLOT_NUM];
		req.data \|= ((uint64_t)buf_req->data) << 32;