From mboxrd@z Thu Jan 1 00:00:00 1970 From: Hannes Reinecke Subject: Indefinite recursion in pci_default_read_config Date: Tue, 15 Dec 2009 11:57:05 +0100 Message-ID: <4B276B81.4030709@suse.de> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE To: kvm@vger.kernel.org Return-path: Received: from cantor2.suse.de ([195.135.220.15]:55068 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1759533AbZLOK5K (ORCPT ); Tue, 15 Dec 2009 05:57:10 -0500 Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.221.2]) by mx2.suse.de (Postfix) with ESMTP id D405587D82 for ; Tue, 15 Dec 2009 11:57:05 +0100 (CET) Sender: kvm-owner@vger.kernel.org List-ID: Hi all, I just triggered a nasty indefinite recursion in pci_default_read_confi= g: uint32_t pci_default_read_config(PCIDevice *d, uint32_t address, int len) { uint32_t val =3D 0; assert(len =3D=3D 1 || len =3D=3D 2 || len =3D=3D 4); if (pci_access_cap_config(d, address, len)) { return d->cap.config_read(d, address, len); } len =3D MIN(len, pci_config_size(d) - address); memcpy(&val, d->config + address, len); return le32_to_cpu(val); } And d->cap.config_read is pointing to pci_default_read_config: (gdb) print *d $3 =3D {qdev =3D {id =3D 0xc99b10 "01:10.0", state =3D DEV_STATE_INITIA= LIZED,=20 opts =3D 0xc99ad0, hotplugged =3D 0, info =3D 0x837e60, parent_bus = =3D 0xc71710,=20 num_gpio_out =3D 0, gpio_out =3D 0x0, num_gpio_in =3D 0, gpio_in =3D= 0x0,=20 child_bus =3D {lh_first =3D 0x0}, num_child_bus =3D 0, sibling =3D = { le_next =3D 0xc99c30, le_prev =3D 0xc71730}},=20 config =3D 0xca3010 "\206\200\312\020\003",=20 cmask =3D 0xca3120 "\377\377\377\377", wmask =3D 0xca3230 "",=20 used =3D 0xca3340 "", bus =3D 0xc71710, devfn =3D 32,=20 name =3D "pci-assign", '\000' , io_regions =3D {{ addr =3D 4060102656, size =3D 16384, filtered_size =3D 16384, typ= e =3D 0 '\000',=20 map_func =3D 0x46a5f0 }, {addr =3D 0, siz= e =3D 0,=20 filtered_size =3D 0, type =3D 0 '\000', map_func =3D 0}, {addr =3D= 0, size =3D 0,=20 filtered_size =3D 0, type =3D 0 '\000', map_func =3D 0}, {addr =3D= 4060119040,=20 size =3D 16384, filtered_size =3D 16384, type =3D 0 '\000',=20 map_func =3D 0x46a5f0 }, {addr =3D 0, siz= e =3D 0,=20 filtered_size =3D 0, type =3D 0 '\000', map_func =3D 0}, {addr =3D= 0, size =3D 0,=20 filtered_size =3D 0, type =3D 0 '\000', map_func =3D 0}, {addr =3D= 0, size =3D 0,=20 filtered_size =3D 0, type =3D 0 '\000', map_func =3D 0}},=20 config_read =3D 0x46a050 ,=20 config_write =3D 0x469f30 , irq =3D 0x= ca3450,=20 irq_state =3D 0 '\000', cap_present =3D 0, msix_cap =3D 0 '\000',=20 msix_entries_nr =3D 0, msix_table_page =3D 0x0, msix_mmio_index =3D 0= ,=20 msix_entry_used =3D 0x0, msix_bar_size =3D 0, version_id =3D 2,=20 msix_page_size =3D 0, msix_irq_entries =3D 0x0, cap =3D {supported =3D= 1,=20 start =3D 64, length =3D 16,=20 config_read =3D 0x416770 ,=20 config_write =3D 0x46b750 }} Not good ... Cheers, Hannes --=20 Dr. Hannes Reinecke zSeries & Storage hare@suse.de +49 911 74053 688 SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 N=FCrnberg GF: Markus Rex, HRB 16746 (AG N=FCrnberg)