rpm/xen
SHA256
1
0
Fork 0
forked from pool/xen
Code Pull Requests Activity
Files
837bb1d292eca723011eb2ecacb454fb188e97230883d3824ed94612d4053e64
xen/ioemu-MSI-X-fix-unregister_iomem.patch

58 lines
2.0 KiB
Diff
Raw Blame History

qemu-dm: fix unregister_iomem()
References: bnc#744014
This function (introduced quite a long time ago in
e7911109f4321e9ba0cc56a253b653600aa46bea - "disable qemu PCI
devices in HVM domains") appears to be completely broken, causing
the regression reported in
http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1805 (due to
the newly added caller of it in
56d7747a3cf811910c4cf865e1ebcb8b82502005 - "qemu: clean up
MSI-X table handling"). It's unclear how the function can ever have
fulfilled its purpose: the value returned by iomem_index() is *not* an
index into mmio[].
Additionally, fix two problems:
- unregister_iomem() must not clear mmio[].start, otherwise
cpu_register_physical_memory() won't be able to re-use the previous
slot, thus causing a leak
- cpu_unregister_io_memory() must not check mmio[].size, otherwise it
won't properly clean up entries (temporarily) squashed through
unregister_iomem()
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Tested-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Tested-by: Yongjie Ren <yongjie.ren@intel.com>
--- a/tools/ioemu-qemu-xen/i386-dm/exec-dm.c
+++ b/tools/ioemu-qemu-xen/i386-dm/exec-dm.c
@@ -360,7 +360,7 @@ void cpu_unregister_io_memory(int io_tab
int io_index = io_table_address >> IO_MEM_SHIFT;
for (i = 0; i < mmio_cnt; i++) {
- if (mmio[i].size && mmio[i].io_index == io_index) {
+ if (mmio[i].io_index == io_index) {
mmio[i].start = mmio[i].size = 0;
break;
}
@@ -466,12 +466,16 @@ static int iomem_index(target_phys_addr_
void unregister_iomem(target_phys_addr_t start)
{
- int index = iomem_index(start);
- if (index) {
+ unsigned int index;
+
+ for (index = 0; index < mmio_cnt; index++)
+ if (start == mmio[index].start)
+ break;
+ if (index < mmio_cnt) {
fprintf(logfile, "squash iomem [%lx, %lx).\n",
(unsigned long)(mmio[index].start),
(unsigned long)(mmio[index].start + mmio[index].size));
- mmio[index].start = mmio[index].size = 0;
+ mmio[index].size = 0;
}
}
View Git Blame Copy Permalink