From: "Michael S. Tsirkin" <mst@redhat.com>
To: Amit Shah <amit.shah@redhat.com>
Cc: Stefan Hajnoczi <stefanha@gmail.com>,
yinyin <yin.yin@cs2c.com.cn>,
"qemu-devel@nongnu.org" <qemu-devel@nongnu.org>
Subject: Re: [Qemu-devel] [qemu-devel]question on virtqueue_get_avail_bytes
Date: Tue, 3 Sep 2013 14:15:55 +0300 [thread overview]
Message-ID: <20130903111555.GA21067@redhat.com> (raw)
In-Reply-To: <20130903111021.GA2464@grmbl.mre>
On Tue, Sep 03, 2013 at 04:40:21PM +0530, Amit Shah wrote:
> On (Mon) 19 Aug 2013 [16:30:54], Stefan Hajnoczi wrote:
> > On Mon, Aug 19, 2013 at 05:28:44PM +0800, yinyin wrote:
> > > Hi,all:
> > > in func virtqueue_get_avail_bytes, when found a indirect desc, we need loop over it.
> > > /* loop over the indirect descriptor table */
> > > indirect = 1;
> > > max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
> > > num_bufs = i = 0;
> > > desc_pa = vring_desc_addr(desc_pa, i);
> > > But, It init i to 0, then use i to update desc_pa. so we will always get :
> > > desc_pa = vring_desc_addr(desc_pa, 0);
> > > is it right?or should we update desc_pa first, then init i to 0?
> >
> > Is there a way to trigger a crash or erorr from a normal running guest?
> >
> > Affected devices: serial, rng, and net - they call
> > virtqueue_get_avail_bytes() directly or indirectly.
> >
> > > diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
> > > index 09f62c6..554ae6f 100644
> > > --- a/hw/virtio/virtio.c
> > > +++ b/hw/virtio/virtio.c
> > > @@ -377,8 +377,8 @@ void virtqueue_get_avail_bytes(VirtQueue *vq, unsigned int *in_bytes,
> > > /* loop over the indirect descriptor table */
> > > indirect = 1;
> > > max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
> > > - num_bufs = i = 0;
> > > desc_pa = vring_desc_addr(desc_pa, i);
> > > + num_bufs = i = 0;
> >
> > I agree, this looks wrong. git-blame(1) doesn't reveal anything
> > interesting. Looks like this bug has been around since 2009!
>
> Hm, why hasn't this bitten anyone yet?
>
> Amit
net uses virtqueue_get_avail_bytes for RX only, and drivers
only post single buffers there.
Same seems to be true for other devices?
next prev parent reply other threads:[~2013-09-03 11:14 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-19 9:28 [Qemu-devel] [qemu-devel]question on virtqueue_get_avail_bytes yinyin
2013-08-19 14:30 ` Stefan Hajnoczi
2013-08-22 6:47 ` [Qemu-devel] [PATCH]virtio: virtqueue_get_avail_bytes: fix desc_pa when loop over the indirect descriptor table yinyin
2013-08-22 11:59 ` Stefan Hajnoczi
2013-08-25 9:51 ` Michael S. Tsirkin
2013-09-03 11:10 ` [Qemu-devel] [qemu-devel]question on virtqueue_get_avail_bytes Amit Shah
2013-09-03 11:15 ` Michael S. Tsirkin [this message]
2013-09-04 12:18 ` Amit Shah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130903111555.GA21067@redhat.com \
--to=mst@redhat.com \
--cc=amit.shah@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@gmail.com \
--cc=yin.yin@cs2c.com.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).