[Qemu-devel] [RFC 0/1] ide: attempt at fixing the bug #1777315.

From: Amol Surati <suratiamol@gmail.com>
To: qemu-devel@nongnu.org
Cc: Amol Surati <suratiamol@gmail.com>
Subject: [Qemu-devel] [RFC 0/1] ide: attempt at fixing the bug #1777315.
Date: Mon, 18 Jun 2018 00:05:14 +0530	[thread overview]
Message-ID: <20180617183515.3982-1-suratiamol@gmail.com> (raw)

This is an attempt at fixing the bug #1777315, through code review
alone (i.e. test and debugging are pending.)

The function bmdma_prepare_buf shows that s->io_buffer_size can be
controlled through the PRDs, and it is possible for it to not be a
perfect multiple of the sector size (the function ide_dma_cb assumes
that s->io_buffer_size is a perfect multiple of the sector size.)

For instance, consider a transfer of 630 bytes.
s->nsector should be (probably, I did not verify through test/debug) 2.

Let there be two PRDs, handed over to the bus-master:
prd[0]: len=512, eot=0
prd[1]: len=128, eot=1

The function bmdma_prepare_buf receives limit as 2*512 = 1024. During
the processing of the two PRDs, s->sg.size and s->io_buffer_size both
end up being set to 630.

Within the function ide_dma_cb, s->io_buffer_size >> 9 results in n
being set to 1, which is not greater than s->nsector (which must be
2.)

n * 512 is 512, while s->sg.size is 630; the difference results in
the firing of 'assert(n * 512 == s->sg.size);'.

Alternatively, a single change (discarding the current patch),

'assert(n * 512 == s->sg.size || s->io_buffer_size == s->sg.size);',

could work, provided these two are the only possibilities.

Amol Surati (1):
  ide: bug #1777315: io_buffer_size and sg.size can represent partial
    sector sizes

 hw/ide/core.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

-- 
2.17.1