On Tue, Dec 11, 2012 at 04:18:20PM +0200, Michael S. Tsirkin wrote:
> On Mon, Dec 10, 2012 at 02:09:37PM +0100, Stefan Hajnoczi wrote:
> > + iov->iov_base = hostmem_lookup(&vring->hostmem, desc.addr,
> > desc.len,
> > + desc.flags & VRING_DESC_F_WRITE);
> > + if (!iov->iov_base) {
> > + error_report("Failed to map indirect descriptor"
> > + "addr %#" PRIx64 " len %u",
> > + (uint64_t)desc.addr, desc.len);
> > + vring->broken = true;
> > + return -EFAULT;
> > + }
> > + iov->iov_len = desc.len;
> > + iov++;
>
> Hmm, this assumes a descriptor can not cross a memory
> region boundary. Is this really guaranteed?
> vhost does not make such assumptions.
Just responded in the other subthread.
hw/virtio.c doesn't split across memory region boundaries. This suggest
we don't hit this in practice. If it does we'll print the error and
disable the device until virtio reset.
I can add it to my TODO list. hw/virtio.c also uses exit(1) for
guest-triggerable errors at runtime and I'd like it to do something like
vring->broken above.
IMO it's not worth trying to perfect these things here. The next step
after this series should be looking at thread-safe memory API so that we
can use hw/virtio.c and improve it for all users.
Stefan
