From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:32939)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1VGoYn-0001h7-L9
	for qemu-devel@nongnu.org; Tue, 03 Sep 2013 07:14:19 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1VGoYh-0007TY-HJ
	for qemu-devel@nongnu.org; Tue, 03 Sep 2013 07:14:13 -0400
Received: from mx1.redhat.com ([209.132.183.28]:1945)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1VGoYh-0007T7-8E
	for qemu-devel@nongnu.org; Tue, 03 Sep 2013 07:14:07 -0400
Date: Tue, 3 Sep 2013 14:15:55 +0300
From: "Michael S. Tsirkin" <mst@redhat.com>
Message-ID: <20130903111555.GA21067@redhat.com>
References: <2952D48C-BC95-446D-92E8-04DE2BC3B873@cs2c.com.cn>
	<20130819143054.GA9866@stefanha-thinkpad.redhat.com>
	<20130903111021.GA2464@grmbl.mre>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20130903111021.GA2464@grmbl.mre>
Content-Transfer-Encoding: quoted-printable
Subject: Re: [Qemu-devel] [qemu-devel]question on virtqueue_get_avail_bytes
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Amit Shah <amit.shah@redhat.com>
Cc: Stefan Hajnoczi <stefanha@gmail.com>, yinyin <yin.yin@cs2c.com.cn>, "qemu-devel@nongnu.org" <qemu-devel@nongnu.org>

On Tue, Sep 03, 2013 at 04:40:21PM +0530, Amit Shah wrote:
> On (Mon) 19 Aug 2013 [16:30:54], Stefan Hajnoczi wrote:
> > On Mon, Aug 19, 2013 at 05:28:44PM +0800, yinyin wrote:
> > > Hi,all:
> > > 	in func virtqueue_get_avail_bytes=EF=BC=8C when found a indirect d=
esc, we need loop over it.
> > >             /* loop over the indirect descriptor table */
> > >             indirect =3D 1;
> > >             max =3D vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
> > >             num_bufs =3D i =3D 0;
> > >             desc_pa =3D vring_desc_addr(desc_pa, i);
> > > 	But, It init i to 0, then use i to update desc_pa. so we will alwa=
ys get  :
> > > 	desc_pa =3D vring_desc_addr(desc_pa, 0);
> > > 	is it right=EF=BC=9For should we update desc_pa first, then init i=
 to 0?
> >=20
> > Is there a way to trigger a crash or erorr from a normal running gues=
t?
> >=20
> > Affected devices: serial, rng, and net - they call
> > virtqueue_get_avail_bytes() directly or indirectly.
> >=20
> > > diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
> > > index 09f62c6..554ae6f 100644
> > > --- a/hw/virtio/virtio.c
> > > +++ b/hw/virtio/virtio.c
> > > @@ -377,8 +377,8 @@ void virtqueue_get_avail_bytes(VirtQueue *vq, u=
nsigned int *in_bytes,
> > >              /* loop over the indirect descriptor table */
> > >              indirect =3D 1;
> > >              max =3D vring_desc_len(desc_pa, i) / sizeof(VRingDesc)=
;
> > > -            num_bufs =3D i =3D 0;
> > >              desc_pa =3D vring_desc_addr(desc_pa, i);
> > > +           num_bufs =3D i =3D 0;
> >=20
> > I agree, this looks wrong.  git-blame(1) doesn't reveal anything
> > interesting.  Looks like this bug has been around since 2009!
>=20
> Hm, why hasn't this bitten anyone yet?
>=20
> 		Amit


net uses virtqueue_get_avail_bytes for RX only, and drivers
only post single buffers there.

Same seems to be true for other devices?