| Message ID | 20240228124638.55752-1-heinrich.schuchardt@canonical.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [1/1] physmem: avoid bounce buffer too small | expand |
On 28.02.24 13:46, Heinrich Schuchardt wrote: > virtqueue_map_desc() is called with values of sz exceeding that may exceed > TARGET_PAGE_SIZE. sz = 0x2800 has been observed. > > We only support a single bounce buffer. We have to avoid > virtqueue_map_desc() calling address_space_map() multiple times. Otherwise > we see an error > > qemu: virtio: bogus descriptor or out of resources > > Increase the minimum size of the bounce buffer to 0x10000 which matches > the largest value of TARGET_PAGE_SIZE for all architectures. > > Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> > --- > roms/edk2 | 2 +- > roms/seabios-hppa | 2 +- > system/physmem.c | 8 ++++++-- > 3 files changed, 8 insertions(+), 4 deletions(-) > > diff --git a/roms/edk2 b/roms/edk2 > index edc6681206..b8a3eec88c 160000 > --- a/roms/edk2 > +++ b/roms/edk2 > @@ -1 +1 @@ > -Subproject commit edc6681206c1a8791981a2f911d2fb8b3d2f5768 > +Subproject commit b8a3eec88cc74bbfe7fb389d026cc7d1d8a989c8 I have resent v2 of the patch w/o this unrelated change. > diff --git a/roms/seabios-hppa b/roms/seabios-hppa > index 03774edaad..e4eac85880 160000 > --- a/roms/seabios-hppa > +++ b/roms/seabios-hppa > @@ -1 +1 @@ > -Subproject commit 03774edaad3bfae090ac96ca5450353c641637d1 > +Subproject commit e4eac85880e8677f96d8b9e94de9f2eec9c0751f > diff --git a/system/physmem.c b/system/physmem.c > index e3ebc19eef..3c82da1c86 100644 > --- a/system/physmem.c > +++ b/system/physmem.c > @@ -3151,8 +3151,12 @@ void *address_space_map(AddressSpace *as, > *plen = 0; > return NULL; > } > - /* Avoid unbounded allocations */ > - l = MIN(l, TARGET_PAGE_SIZE); > + /* > + * There is only one bounce buffer. The largest occuring value of > + * parameter sz of virtqueue_map_desc() must fit into the bounce > + * buffer. > + */ > + l = MIN(l, 0x10000); > bounce.buffer = qemu_memalign(TARGET_PAGE_SIZE, l); > bounce.addr = addr; > bounce.len = l;
diff --git a/roms/edk2 b/roms/edk2 index edc6681206..b8a3eec88c 160000 --- a/roms/edk2 +++ b/roms/edk2 @@ -1 +1 @@ -Subproject commit edc6681206c1a8791981a2f911d2fb8b3d2f5768 +Subproject commit b8a3eec88cc74bbfe7fb389d026cc7d1d8a989c8 diff --git a/roms/seabios-hppa b/roms/seabios-hppa index 03774edaad..e4eac85880 160000 --- a/roms/seabios-hppa +++ b/roms/seabios-hppa @@ -1 +1 @@ -Subproject commit 03774edaad3bfae090ac96ca5450353c641637d1 +Subproject commit e4eac85880e8677f96d8b9e94de9f2eec9c0751f diff --git a/system/physmem.c b/system/physmem.c index e3ebc19eef..3c82da1c86 100644 --- a/system/physmem.c +++ b/system/physmem.c @@ -3151,8 +3151,12 @@ void *address_space_map(AddressSpace *as, *plen = 0; return NULL; } - /* Avoid unbounded allocations */ - l = MIN(l, TARGET_PAGE_SIZE); + /* + * There is only one bounce buffer. The largest occuring value of + * parameter sz of virtqueue_map_desc() must fit into the bounce + * buffer. + */ + l = MIN(l, 0x10000); bounce.buffer = qemu_memalign(TARGET_PAGE_SIZE, l); bounce.addr = addr; bounce.len = l;
virtqueue_map_desc() is called with values of sz exceeding that may exceed TARGET_PAGE_SIZE. sz = 0x2800 has been observed. We only support a single bounce buffer. We have to avoid virtqueue_map_desc() calling address_space_map() multiple times. Otherwise we see an error qemu: virtio: bogus descriptor or out of resources Increase the minimum size of the bounce buffer to 0x10000 which matches the largest value of TARGET_PAGE_SIZE for all architectures. Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> --- roms/edk2 | 2 +- roms/seabios-hppa | 2 +- system/physmem.c | 8 ++++++-- 3 files changed, 8 insertions(+), 4 deletions(-)