@@ -773,6 +773,7 @@ static void virtio_net_handle_ctrl(VirtIODevice *vdev, VirtQueue *vq)
VirtQueueElement elem;
size_t s;
struct iovec *iov;
+ struct iovec iov_copy[VIRTQUEUE_MAX_SIZE];
unsigned int iov_cnt;
while (virtqueue_pop(vq, &elem)) {
@@ -782,6 +783,7 @@ static void virtio_net_handle_ctrl(VirtIODevice *vdev, VirtQueue *vq)
exit(1);
}
+ memcpy(iov_copy, elem.out_sg, elem.out_num*sizeof(struct iovec));
iov = elem.out_sg;
iov_cnt = elem.out_num;
s = iov_to_buf(iov, iov_cnt, 0, &ctrl, sizeof(ctrl));
@@ -804,7 +806,7 @@ static void virtio_net_handle_ctrl(VirtIODevice *vdev, VirtQueue *vq)
assert(s == sizeof(status));
virtqueue_unmap_sg(elem.in_sg, elem.in_num, 1, sizeof(status));
- virtqueue_unmap_sg(elem.out_sg, elem.out_num, 0, UINT_MAX);
+ virtqueue_unmap_sg(iov_copy, elem.out_num, 0, UINT_MAX);
virtqueue_fill(vq, &elem, sizeof(status), 0);
virtqueue_flush(vq, 1);
virtio_notify(vdev, vq);
In virtio_net_handle_ctrl unmap the previously mapped out_sg, not a subset of it. This patch fixes an abort() when running on Xen. Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> CC: jasowang@redhat.com CC: wency@cn.fujitsu.com CC: mst@redhat.com CC: pbonzini@redhat.com --- hw/net/virtio-net.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)