Gaudenz Steinlin <gaud...@debian.org> reported that virtqueue_pop() terminates QEMU because the virtqueue size is exceeded following the CVE-2016-5403 fix. I have been unable to reproduce this or understand the root cause by code inspection. Along the way I did discover a few bugs in virtio-balloon and virtio code.
Please see the individual patches for details. Gaudenz: If you can reproduce the bug you reported, please try again with these patches applied. Stefan Hajnoczi (4): virtio: recalculate vq->inuse after migration virtio: decrement vq->inuse in virtqueue_discard() virtio: add virtqueue_rewind() virtio-balloon: fix stats vq migration hw/virtio/virtio-balloon.c | 10 ++++++++++ hw/virtio/virtio.c | 37 +++++++++++++++++++++++++++++++++++++ include/hw/virtio/virtio.h | 1 + 3 files changed, 48 insertions(+) -- 2.7.4
