From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:34811)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bo.novell@gmail.com>) id 1T6FCU-0000OU-Os
	for qemu-devel@nongnu.org; Tue, 28 Aug 2012 02:23:10 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <bo.novell@gmail.com>) id 1T6FCN-0006bJ-Dc
	for qemu-devel@nongnu.org; Tue, 28 Aug 2012 02:22:58 -0400
Received: from mail-wi0-f181.google.com ([209.85.212.181]:52599)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bo.novell@gmail.com>) id 1T6FCN-0006am-7G
	for qemu-devel@nongnu.org; Tue, 28 Aug 2012 02:22:51 -0400
Received: by wibhm2 with SMTP id hm2so2969954wib.10
	for <qemu-devel@nongnu.org>; Mon, 27 Aug 2012 23:22:50 -0700 (PDT)
Sender: Bo Yang <bo.novell@gmail.com>
From: Bo Yang <boyang@suse.com>
Date: Tue, 28 Aug 2012 14:23:37 +0800
Message-Id: <1346135017-5975-1-git-send-email-boyang@suse.com>
Subject: [Qemu-devel] [PATCH] Fix buffer run out in eepro100.
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

The guest may enter into state of no receive descriptors,
and if there is no interrupt, the descriptor filling function
has no chance to run again,which causes network stall. According
to liunux driver's implementation, the descriptor with EL bit set
must not be touched by hardware, usually, the buffer size of this
descriptor is set to 0.

Signed-off-by: Bo Yang <boyang@suse.com>
---
 hw/eepro100.c |   21 +++++++++++++++------
 1 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/hw/eepro100.c b/hw/eepro100.c
index 50d117e..e0efd96 100644
--- a/hw/eepro100.c
+++ b/hw/eepro100.c
@@ -1619,8 +1619,13 @@ static const MemoryRegionOps eepro100_ops = {
 static int nic_can_receive(NetClientState *nc)
 {
     EEPRO100State *s = DO_UPCAST(NICState, nc, nc)->opaque;
+    ru_state_t state;
     TRACE(RXTX, logout("%p\n", s));
-    return get_ru_state(s) == ru_ready;
+    state = get_ru_state(s);
+    if (state == ru_no_resources) {
+	eepro100_rnr_interrupt(s);
+    }
+    return state == ru_ready;
 #if 0
     return !eepro100_buffer_full(s);
 #endif
@@ -1732,6 +1737,15 @@ static ssize_t nic_receive(NetClientState *nc, const uint8_t * buf, size_t size)
                  &rx, sizeof(eepro100_rx_t));
     uint16_t rfd_command = le16_to_cpu(rx.command);
     uint16_t rfd_size = le16_to_cpu(rx.size);
+    /* don't touch the rx descriptor with EL set. */
+    if (rfd_command & COMMAND_EL) {
+        /* EL bit is set, so this was the last frame. */
+        logout("receive: Running out of frames\n");
+        set_ru_state(s, ru_no_resources);
+        s->statistics.rx_resource_errors++;
+	eepro100_rnr_interrupt(s);
+	return -1;
+    }
 
     if (size > rfd_size) {
         logout("Receive buffer (%" PRId16 " bytes) too small for data "
@@ -1767,11 +1781,6 @@ static ssize_t nic_receive(NetClientState *nc, const uint8_t * buf, size_t size)
     s->statistics.rx_good_frames++;
     eepro100_fr_interrupt(s);
     s->ru_offset = le32_to_cpu(rx.link);
-    if (rfd_command & COMMAND_EL) {
-        /* EL bit is set, so this was the last frame. */
-        logout("receive: Running out of frames\n");
-        set_ru_state(s, ru_suspended);
-    }
     if (rfd_command & COMMAND_S) {
         /* S bit is set. */
         set_ru_state(s, ru_suspended);
-- 
1.6.0.2