Re: [Qemu-devel] e1000 memory corruption in guest OS

[Paolo Bonzini <pbonzini@redhat.com>]

Il 16/02/2014 05:29, Hoyer, David ha scritto:
> We are using Qemu-1.7.0 with Xen-4.3.0 and Debian jessie.   We are
> noticing that when we transfer large files from our network to the
> guestOS via the e1000 virtual network device that we experience memory
> corruption on the guestOS.   We have debugged this problem and have
> determined where it appears that the corruption is happening and have
> created a patch file with a fix (at least the corruption is no longer
> happening on our guestOS anymore).     Note that our test file is a
> large file consisting of the value 0x61 repeated over the entire file.

I think you are missing this patch:

commit 360e607b88a23d378f6efaa769c76d26f538234d
Author: Stefano Stabellini <Stefano.Stabellini@eu.citrix.com>
Date:   Thu Jan 30 12:46:05 2014 +0000

    address_space_translate: do not cross page boundaries
    
    The following commit:
    
    commit 149f54b53b7666a3facd45e86eece60ce7d3b114
    Author: Paolo Bonzini <pbonzini@redhat.com>
    Date:   Fri May 24 12:59:37 2013 +0200
    
        memory: add address_space_translate
    
    breaks Xen support in QEMU, in particular the Xen mapcache. The effect
    is that one Windows XP installation out of ten would end up with BSOD.
    
    The reason is that after this commit l in address_space_rw can span a
    page boundary, however qemu_get_ram_ptr still calls xen_map_cache asking
    to map a single page (if block->offset == 0).
    
    Fix the issue by reverting to the previous behaviour: do not return a
    length from address_space_translate_internal that can span a page
    boundary.
    
    Also in address_space_translate do not ignore the length returned by
    address_space_translate_internal.
    
    This patch should be backported to QEMU 1.6.x.
    
    Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
    Signed-off-by: Anthony Perard <anthony.perard@citrix.com>
    Tested-by: Paolo Bonzini <pbonzini@redhat.com>
    Acked-by: Paolo Bonzini <pbonzini@redhat.com>
    Cc: qemu-stable@nongnu.org

and the subsequent fix:

commit a87f39543a9259f671c5413723311180ee2ad2a8
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Fri Feb 7 15:47:46 2014 +0100

    memory: fix limiting of translation at a page boundary
    
    Commit 360e607 (address_space_translate: do not cross page boundaries,
    2014-01-30) broke MMIO accesses in cases where the section is shorter
    than the full register width.  This can happen for example with the
    Bochs DISPI registers, which are 16 bits wide but have only a 1-byte
    long MemoryRegion (if you write to the "second byte" of the register
    your access is discarded; it doesn't write only to half of the register).
    
    Restrict the action of commit 360e607 to direct RAM accesses.  This
    is enough for Xen, since MMIO will not go through the mapcache.
    
    Reported-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
    Cc: qemu-stable@nongnu.org
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Tested-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
    Signed-off-by: Peter Maydell <peter.maydell@linaro.org>


Both of them will be included next week in 1.7.1.

Paolo