From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:46422)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1WJrW2-0007hq-1Y
	for Qemu-devel@nongnu.org; Sat, 01 Mar 2014 16:32:22 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1WJrVs-0007uL-Bq
	for Qemu-devel@nongnu.org; Sat, 01 Mar 2014 16:32:13 -0500
Received: from mail-qg0-x22e.google.com ([2607:f8b0:400d:c04::22e]:50131)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1WJrVs-0007uD-7n
	for Qemu-devel@nongnu.org; Sat, 01 Mar 2014 16:32:04 -0500
Received: by mail-qg0-f46.google.com with SMTP id e89so6710896qgf.5
	for <Qemu-devel@nongnu.org>; Sat, 01 Mar 2014 13:32:03 -0800 (PST)
Sender: Paolo Bonzini <paolo.bonzini@gmail.com>
Message-ID: <531251CB.10102@redhat.com>
Date: Sat, 01 Mar 2014 22:31:55 +0100
From: Paolo Bonzini <pbonzini@redhat.com>
MIME-Version: 1.0
References: <6777CD901FD53644B082307CD745FB8326AC9348@SACEXCMBX02-PRD.hq.netapp.com>	<530AC892.2080109@ozlabs.ru>
	<5311D2DD.4090904@ozlabs.ru>
In-Reply-To: <5311D2DD.4090904@ozlabs.ru>
Content-Type: text/plain; charset=KOI8-R; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] e1000 memory corruption in guest OS
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Alexey Kardashevskiy <aik@ozlabs.ru>, "Hoyer, David" <David.Hoyer@netapp.com>, "Qemu-devel@nongnu.org" <Qemu-devel@nongnu.org>
Cc: "Moyer, Keith" <Keith.Moyer@netapp.com>, "Best,
	Tish" <Tish.Best@netapp.com>

Il 01/03/2014 13:30, Alexey Kardashevskiy ha scritto:
>> >
>> > Corrupted DMA buffer is 0x e00000 -- 0x7f15c313f000.
>> > The e1000 packet is at  0x12ffac2 -- 0x7f15c313eac2.
>> >
>> > (0x7f15c313f000 - 0x7f15c313eac2) = 0x53e which is less than 0x5aa and
>> > (0x5aa - 0x53e) = 0x6c bytes get corrupted.
>> >
>> > I see here buffer overrun from e1000 and I suspect that your patch just
>> > hides this problem. What did I miss?
>
> Ping, anyone?

You missed that this is a Xen-specific problem.  Xen maps things a page 
at a time, so address_space_map/unmap/rw can operate only on a small 
part of the requested [address, address+length) range.

So there is no overrun in e1000.  The patch is incomplete, because it 
fixes only address_space_rw, but the problem is indeed in exec.c.

Paolo