[Qemu-devel] [qemu-devel]question on virtqueue_get_avail_bytes

[Qemu-devel] [qemu-devel]question on virtqueue_get_avail_bytes

[yinyin]

Hi,all:
	in func virtqueue_get_avail_bytes， when found a indirect desc, we need loop over it.
            /* loop over the indirect descriptor table */
            indirect = 1;
            max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
            num_bufs = i = 0;
            desc_pa = vring_desc_addr(desc_pa, i);
	But, It init i to 0, then use i to update desc_pa. so we will always get  :
	desc_pa = vring_desc_addr(desc_pa, 0);
	is it right？or should we update desc_pa first, then init i to 0?

diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 09f62c6..554ae6f 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -377,8 +377,8 @@ void virtqueue_get_avail_bytes(VirtQueue *vq, unsigned int *in_bytes,
             /* loop over the indirect descriptor table */
             indirect = 1;
             max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
-            num_bufs = i = 0;
             desc_pa = vring_desc_addr(desc_pa, i);
+           num_bufs = i = 0;
         }
 
         do {

Re: [Qemu-devel] [qemu-devel]question on virtqueue_get_avail_bytes

[Stefan Hajnoczi]

On Mon, Aug 19, 2013 at 05:28:44PM +0800, yinyin wrote:
> Hi,all:
> 	in func virtqueue_get_avail_bytes， when found a indirect desc, we need loop over it.
>             /* loop over the indirect descriptor table */
>             indirect = 1;
>             max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
>             num_bufs = i = 0;
>             desc_pa = vring_desc_addr(desc_pa, i);
> 	But, It init i to 0, then use i to update desc_pa. so we will always get  :
> 	desc_pa = vring_desc_addr(desc_pa, 0);
> 	is it right？or should we update desc_pa first, then init i to 0?

Is there a way to trigger a crash or erorr from a normal running guest?

Affected devices: serial, rng, and net - they call
virtqueue_get_avail_bytes() directly or indirectly.

> diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
> index 09f62c6..554ae6f 100644
> --- a/hw/virtio/virtio.c
> +++ b/hw/virtio/virtio.c
> @@ -377,8 +377,8 @@ void virtqueue_get_avail_bytes(VirtQueue *vq, unsigned int *in_bytes,
>              /* loop over the indirect descriptor table */
>              indirect = 1;
>              max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
> -            num_bufs = i = 0;
>              desc_pa = vring_desc_addr(desc_pa, i);
> +           num_bufs = i = 0;

I agree, this looks wrong.  git-blame(1) doesn't reveal anything
interesting.  Looks like this bug has been around since 2009!

Please resend your patch according to the guidelines here:
http://qemu-project.org/Contribute/SubmitAPatch

In particular, please include a Signed-off-by: Your Name <your@email.org> line.

Stefan

[Qemu-devel] [PATCH]virtio: virtqueue_get_avail_bytes: fix desc_pa when loop over the indirect descriptor table

[yinyin]

virtqueue_get_avail_bytes: when found a indirect desc, we need loop over it.
           /* loop over the indirect descriptor table */
           indirect = 1;
           max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
           num_bufs = i = 0;
           desc_pa = vring_desc_addr(desc_pa, i);
But, It init i to 0, then use i to update desc_pa. so we will always get:
desc_pa = vring_desc_addr(desc_pa, 0);
the last two line should swap.

Signed-off-by: Yin Yin <yin.yin@cs2c.com.cn>
---
 hw/virtio/virtio.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index f03c45d..2f1e73b 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -377,8 +377,8 @@ void virtqueue_get_avail_bytes(VirtQueue *vq, unsigned int *in_bytes,
             /* loop over the indirect descriptor table */
             indirect = 1;
             max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
-            num_bufs = i = 0;
             desc_pa = vring_desc_addr(desc_pa, i);
+            num_bufs = i = 0;
         }
 
         do {
-- 
1.7.12.4 (Apple Git-37)

Re: [Qemu-devel] [PATCH]virtio: virtqueue_get_avail_bytes: fix desc_pa when loop over the indirect descriptor table

[Stefan Hajnoczi]

On Thu, Aug 22, 2013 at 02:47:16PM +0800, yinyin wrote:
> virtqueue_get_avail_bytes: when found a indirect desc, we need loop over it.
>            /* loop over the indirect descriptor table */
>            indirect = 1;
>            max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
>            num_bufs = i = 0;
>            desc_pa = vring_desc_addr(desc_pa, i);
> But, It init i to 0, then use i to update desc_pa. so we will always get:
> desc_pa = vring_desc_addr(desc_pa, 0);
> the last two line should swap.
> 
> Signed-off-by: Yin Yin <yin.yin@cs2c.com.cn>
> ---
>  hw/virtio/virtio.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>

Re: [Qemu-devel] [PATCH]virtio: virtqueue_get_avail_bytes: fix desc_pa when loop over the indirect descriptor table

[Michael S. Tsirkin]

On Thu, Aug 22, 2013 at 02:47:16PM +0800, yinyin wrote:
> virtqueue_get_avail_bytes: when found a indirect desc, we need loop over it.
>            /* loop over the indirect descriptor table */
>            indirect = 1;
>            max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
>            num_bufs = i = 0;
>            desc_pa = vring_desc_addr(desc_pa, i);
> But, It init i to 0, then use i to update desc_pa. so we will always get:
> desc_pa = vring_desc_addr(desc_pa, 0);
> the last two line should swap.
> 
> Signed-off-by: Yin Yin <yin.yin@cs2c.com.cn>

Applied, thanks everyone

> ---
>  hw/virtio/virtio.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
> index f03c45d..2f1e73b 100644
> --- a/hw/virtio/virtio.c
> +++ b/hw/virtio/virtio.c
> @@ -377,8 +377,8 @@ void virtqueue_get_avail_bytes(VirtQueue *vq, unsigned int *in_bytes,
>              /* loop over the indirect descriptor table */
>              indirect = 1;
>              max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
> -            num_bufs = i = 0;
>              desc_pa = vring_desc_addr(desc_pa, i);
> +            num_bufs = i = 0;
>          }
>  
>          do {
> -- 
> 1.7.12.4 (Apple Git-37)

Re: [Qemu-devel] [qemu-devel]question on virtqueue_get_avail_bytes

[Amit Shah]

On (Mon) 19 Aug 2013 [16:30:54], Stefan Hajnoczi wrote:
> On Mon, Aug 19, 2013 at 05:28:44PM +0800, yinyin wrote:
> > Hi,all:
> > 	in func virtqueue_get_avail_bytes， when found a indirect desc, we need loop over it.
> >             /* loop over the indirect descriptor table */
> >             indirect = 1;
> >             max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
> >             num_bufs = i = 0;
> >             desc_pa = vring_desc_addr(desc_pa, i);
> > 	But, It init i to 0, then use i to update desc_pa. so we will always get  :
> > 	desc_pa = vring_desc_addr(desc_pa, 0);
> > 	is it right？or should we update desc_pa first, then init i to 0?
> 
> Is there a way to trigger a crash or erorr from a normal running guest?
> 
> Affected devices: serial, rng, and net - they call
> virtqueue_get_avail_bytes() directly or indirectly.
> 
> > diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
> > index 09f62c6..554ae6f 100644
> > --- a/hw/virtio/virtio.c
> > +++ b/hw/virtio/virtio.c
> > @@ -377,8 +377,8 @@ void virtqueue_get_avail_bytes(VirtQueue *vq, unsigned int *in_bytes,
> >              /* loop over the indirect descriptor table */
> >              indirect = 1;
> >              max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
> > -            num_bufs = i = 0;
> >              desc_pa = vring_desc_addr(desc_pa, i);
> > +           num_bufs = i = 0;
> 
> I agree, this looks wrong.  git-blame(1) doesn't reveal anything
> interesting.  Looks like this bug has been around since 2009!

Hm, why hasn't this bitten anyone yet?

		Amit

Re: [Qemu-devel] [qemu-devel]question on virtqueue_get_avail_bytes

[Michael S. Tsirkin]

On Tue, Sep 03, 2013 at 04:40:21PM +0530, Amit Shah wrote:
> On (Mon) 19 Aug 2013 [16:30:54], Stefan Hajnoczi wrote:
> > On Mon, Aug 19, 2013 at 05:28:44PM +0800, yinyin wrote:
> > > Hi,all:
> > > 	in func virtqueue_get_avail_bytes， when found a indirect desc, we need loop over it.
> > >             /* loop over the indirect descriptor table */
> > >             indirect = 1;
> > >             max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
> > >             num_bufs = i = 0;
> > >             desc_pa = vring_desc_addr(desc_pa, i);
> > > 	But, It init i to 0, then use i to update desc_pa. so we will always get  :
> > > 	desc_pa = vring_desc_addr(desc_pa, 0);
> > > 	is it right？or should we update desc_pa first, then init i to 0?
> > 
> > Is there a way to trigger a crash or erorr from a normal running guest?
> > 
> > Affected devices: serial, rng, and net - they call
> > virtqueue_get_avail_bytes() directly or indirectly.
> > 
> > > diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
> > > index 09f62c6..554ae6f 100644
> > > --- a/hw/virtio/virtio.c
> > > +++ b/hw/virtio/virtio.c
> > > @@ -377,8 +377,8 @@ void virtqueue_get_avail_bytes(VirtQueue *vq, unsigned int *in_bytes,
> > >              /* loop over the indirect descriptor table */
> > >              indirect = 1;
> > >              max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
> > > -            num_bufs = i = 0;
> > >              desc_pa = vring_desc_addr(desc_pa, i);
> > > +           num_bufs = i = 0;
> > 
> > I agree, this looks wrong.  git-blame(1) doesn't reveal anything
> > interesting.  Looks like this bug has been around since 2009!
> 
> Hm, why hasn't this bitten anyone yet?
> 
> 		Amit


net uses virtqueue_get_avail_bytes for RX only, and drivers
only post single buffers there.

Same seems to be true for other devices?

Re: [Qemu-devel] [qemu-devel]question on virtqueue_get_avail_bytes

[Amit Shah]

On (Tue) 03 Sep 2013 [14:15:55], Michael S. Tsirkin wrote:
> On Tue, Sep 03, 2013 at 04:40:21PM +0530, Amit Shah wrote:
> > On (Mon) 19 Aug 2013 [16:30:54], Stefan Hajnoczi wrote:
> > > On Mon, Aug 19, 2013 at 05:28:44PM +0800, yinyin wrote:
> > > > Hi,all:
> > > > 	in func virtqueue_get_avail_bytes， when found a indirect desc, we need loop over it.
> > > >             /* loop over the indirect descriptor table */
> > > >             indirect = 1;
> > > >             max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
> > > >             num_bufs = i = 0;
> > > >             desc_pa = vring_desc_addr(desc_pa, i);
> > > > 	But, It init i to 0, then use i to update desc_pa. so we will always get  :
> > > > 	desc_pa = vring_desc_addr(desc_pa, 0);
> > > > 	is it right？or should we update desc_pa first, then init i to 0?
> > > 
> > > Is there a way to trigger a crash or erorr from a normal running guest?
> > > 
> > > Affected devices: serial, rng, and net - they call
> > > virtqueue_get_avail_bytes() directly or indirectly.
> > > 
> > > > diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
> > > > index 09f62c6..554ae6f 100644
> > > > --- a/hw/virtio/virtio.c
> > > > +++ b/hw/virtio/virtio.c
> > > > @@ -377,8 +377,8 @@ void virtqueue_get_avail_bytes(VirtQueue *vq, unsigned int *in_bytes,
> > > >              /* loop over the indirect descriptor table */
> > > >              indirect = 1;
> > > >              max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
> > > > -            num_bufs = i = 0;
> > > >              desc_pa = vring_desc_addr(desc_pa, i);
> > > > +           num_bufs = i = 0;
> > > 
> > > I agree, this looks wrong.  git-blame(1) doesn't reveal anything
> > > interesting.  Looks like this bug has been around since 2009!
> > 
> > Hm, why hasn't this bitten anyone yet?
> 
> net uses virtqueue_get_avail_bytes for RX only, and drivers
> only post single buffers there.
> 
> Same seems to be true for other devices?

Yes, we were lucky.

		Amit