From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1NYyCP-0004dC-30
	for qemu-devel@nongnu.org; Sun, 24 Jan 2010 03:52:01 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1NYyCK-0004as-JR
	for qemu-devel@nongnu.org; Sun, 24 Jan 2010 03:52:00 -0500
Received: from [199.232.76.173] (port=36410 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1NYyCK-0004ap-EI
	for qemu-devel@nongnu.org; Sun, 24 Jan 2010 03:51:56 -0500
Received: from fmmailgate01.web.de ([217.72.192.221]:34332)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <jan.kiszka@web.de>) id 1NYyCJ-0000a8-QG
	for qemu-devel@nongnu.org; Sun, 24 Jan 2010 03:51:56 -0500
Message-ID: <4B5C0A25.40202@web.de>
Date: Sun, 24 Jan 2010 09:51:49 +0100
From: Jan Kiszka <jan.kiszka@web.de>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="------------enig7723F04E2DB33FB53B17438D"
Sender: jan.kiszka@web.de
Subject: [Qemu-devel] [PATCH][STABLE] Musicpal: Fix descriptor walk in
	eth_send
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: malc <av1474@comtv.ru>
Cc: Anthony Liguori <aliguori@us.ibm.com>, qemu-devel <qemu-devel@nongnu.org>

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig7723F04E2DB33FB53B17438D
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable

Commit 930c86820e introduced a regression to eth_send: eth_tx_desc_put
manipulates the host's tx descriptor copy before writing it back, but
two lines down the descriptor is evaluated again, leaving us with an
invalid next address if host and guest endianness differ. So this was
the actual issue commit 2e87c5b937 tried to paper over.

Signed-off-by: Jan Kiszka <jan.kiszka@web.de>
---
 hw/musicpal.c |    7 +++----
 1 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/hw/musicpal.c b/hw/musicpal.c
index e424a7d..b8af15e 100644
--- a/hw/musicpal.c
+++ b/hw/musicpal.c
@@ -238,14 +238,13 @@ static void eth_send(mv88w8618_eth_state *s, int qu=
eue_index)
 {
     uint32_t desc_addr =3D s->tx_queue[queue_index];
     mv88w8618_tx_desc desc;
+    uint32_t next_desc;
     uint8_t buf[2048];
     int len;
=20
-    if (!desc_addr) {
-        return;
-    }
     do {
         eth_tx_desc_get(desc_addr, &desc);
+        next_desc =3D desc.next;
         if (desc.cmdstat & MP_ETH_TX_OWN) {
             len =3D desc.bytes;
             if (len < 2048) {
@@ -256,7 +255,7 @@ static void eth_send(mv88w8618_eth_state *s, int queu=
e_index)
             s->icr |=3D 1 << (MP_ETH_IRQ_TXLO_BIT - queue_index);
             eth_tx_desc_put(desc_addr, &desc);
         }
-        desc_addr =3D desc.next;
+        desc_addr =3D next_desc;
     } while (desc_addr !=3D s->tx_queue[queue_index]);
 }
=20
--=20
1.6.0.2


--------------enig7723F04E2DB33FB53B17438D
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iEYEARECAAYFAktcCigACgkQitSsb3rl5xQLRQCeP620mH7KqNl4E0lJq5jg7ZRN
2QkAn1ZMABi97Ix4GYbxoAGzw1gVqLui
=Pymt
-----END PGP SIGNATURE-----

--------------enig7723F04E2DB33FB53B17438D--