From: Jason Wang <jasowang@redhat.com>
To: qemu-devel@nongnu.org, peter.maydell@linaro.org
Cc: "Eugenio Pérez" <eperezma@redhat.com>,
"Lei Yang" <leiyang@redhat.com>,
"Jason Wang" <jasowang@redhat.com>
Subject: [PULL 3/3] vdpa: Fix memory listener deletions of iova tree
Date: Tue, 26 Jul 2022 16:50:55 +0800 [thread overview]
Message-ID: <20220726085055.17239-4-jasowang@redhat.com> (raw)
In-Reply-To: <20220726085055.17239-1-jasowang@redhat.com>
From: Eugenio Pérez <eperezma@redhat.com>
vhost_vdpa_listener_region_del is always deleting the first iova entry
of the tree, since it's using the needle iova instead of the result's
one.
This was detected using a vga virtual device in the VM using vdpa SVQ.
It makes some extra memory adding and deleting, so the wrong one was
mapped / unmapped. This was undetected before since all the memory was
mappend and unmapped totally without that device, but other conditions
could trigger it too:
* mem_region was with .iova = 0, .translated_addr = (correct GPA).
* iova_tree_find_iova returned right result, but does not update
mem_region.
* iova_tree_remove always removed region with .iova = 0. Right iova were
sent to the device.
* Next map will fill the first region with .iova = 0, causing a mapping
with the same iova and device complains, if the next action is a map.
* Next unmap will cause to try to unmap again iova = 0, causing the
device to complain that no region was mapped at iova = 0.
Fixes: 34e3c94edaef ("vdpa: Add custom IOTLB translations to SVQ")
Reported-by: Lei Yang <leiyang@redhat.com>
Signed-off-by: Eugenio Pérez <eperezma@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/virtio/vhost-vdpa.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/virtio/vhost-vdpa.c b/hw/virtio/vhost-vdpa.c
index bce64f4..3ff9ce3 100644
--- a/hw/virtio/vhost-vdpa.c
+++ b/hw/virtio/vhost-vdpa.c
@@ -290,7 +290,7 @@ static void vhost_vdpa_listener_region_del(MemoryListener *listener,
result = vhost_iova_tree_find_iova(v->iova_tree, &mem_region);
iova = result->iova;
- vhost_iova_tree_remove(v->iova_tree, &mem_region);
+ vhost_iova_tree_remove(v->iova_tree, result);
}
vhost_vdpa_iotlb_batch_begin_once(v);
ret = vhost_vdpa_dma_unmap(v, iova, int128_get64(llsize));
--
2.7.4
next prev parent reply other threads:[~2022-07-26 8:57 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-26 8:50 [PULL 0/3] Net patches Jason Wang
2022-07-26 8:50 ` [PULL 1/3] e1000e: Fix possible interrupt loss when using MSI Jason Wang
2022-07-26 8:50 ` [PULL 2/3] vhost: Get vring base from vq, not svq Jason Wang
2022-07-26 8:50 ` Jason Wang [this message]
2022-07-28 6:14 ` [PULL 3/3] vdpa: Fix memory listener deletions of iova tree Lei Yang
2022-07-28 6:26 ` Jason Wang
2022-07-28 8:29 ` Lei Yang
2022-07-26 12:28 ` [PULL 0/3] Net patches Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220726085055.17239-4-jasowang@redhat.com \
--to=jasowang@redhat.com \
--cc=eperezma@redhat.com \
--cc=leiyang@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.