From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1NZtnA-0000iG-2j
	for qemu-devel@nongnu.org; Tue, 26 Jan 2010 17:21:48 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1NZtn2-0000hV-Qd
	for qemu-devel@nongnu.org; Tue, 26 Jan 2010 17:21:45 -0500
Received: from [199.232.76.173] (port=57587 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1NZtn1-0000hJ-TC
	for qemu-devel@nongnu.org; Tue, 26 Jan 2010 17:21:39 -0500
Received: from mx20.gnu.org ([199.232.41.8]:15407)
	by monty-python.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.60) (envelope-from <anthony@codemonkey.ws>)
	id 1NZtmz-0002jp-5K
	for qemu-devel@nongnu.org; Tue, 26 Jan 2010 17:21:39 -0500
Received: from mail-iw0-f188.google.com ([209.85.223.188])
	by mx20.gnu.org with esmtp (Exim 4.60)
	(envelope-from <anthony@codemonkey.ws>) id 1NZtmm-0006eD-Pb
	for qemu-devel@nongnu.org; Tue, 26 Jan 2010 17:21:24 -0500
Received: by mail-iw0-f188.google.com with SMTP id 26so5399878iwn.14
	for <qemu-devel@nongnu.org>; Tue, 26 Jan 2010 14:21:24 -0800 (PST)
Message-ID: <4B5F6AE1.8060502@codemonkey.ws>
Date: Tue, 26 Jan 2010 16:21:21 -0600
From: Anthony Liguori <anthony@codemonkey.ws>
MIME-Version: 1.0
Subject: Re: [Qemu-devel] [PATCH][STABLE] Musicpal: Fix descriptor walk in
	eth_send
References: <4B5C0A25.40202@web.de>
In-Reply-To: <4B5C0A25.40202@web.de>
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Jan Kiszka <jan.kiszka@web.de>
Cc: Anthony Liguori <aliguori@us.ibm.com>, qemu-devel <qemu-devel@nongnu.org>

On 01/24/2010 02:51 AM, Jan Kiszka wrote:
> Commit 930c86820e introduced a regression to eth_send: eth_tx_desc_put
> manipulates the host's tx descriptor copy before writing it back, but
> two lines down the descriptor is evaluated again, leaving us with an
> invalid next address if host and guest endianness differ. So this was
> the actual issue commit 2e87c5b937 tried to paper over.
>
> Signed-off-by: Jan Kiszka<jan.kiszka@web.de>
>    
Applied to stable.  Thanks.

Regards,

Anthony Liguori
> ---
>   hw/musicpal.c |    7 +++----
>   1 files changed, 3 insertions(+), 4 deletions(-)
>
> diff --git a/hw/musicpal.c b/hw/musicpal.c
> index e424a7d..b8af15e 100644
> --- a/hw/musicpal.c
> +++ b/hw/musicpal.c
> @@ -238,14 +238,13 @@ static void eth_send(mv88w8618_eth_state *s, int queue_index)
>   {
>       uint32_t desc_addr = s->tx_queue[queue_index];
>       mv88w8618_tx_desc desc;
> +    uint32_t next_desc;
>       uint8_t buf[2048];
>       int len;
>
> -    if (!desc_addr) {
> -        return;
> -    }
>       do {
>           eth_tx_desc_get(desc_addr,&desc);
> +        next_desc = desc.next;
>           if (desc.cmdstat&  MP_ETH_TX_OWN) {
>               len = desc.bytes;
>               if (len<  2048) {
> @@ -256,7 +255,7 @@ static void eth_send(mv88w8618_eth_state *s, int queue_index)
>               s->icr |= 1<<  (MP_ETH_IRQ_TXLO_BIT - queue_index);
>               eth_tx_desc_put(desc_addr,&desc);
>           }
> -        desc_addr = desc.next;
> +        desc_addr = next_desc;
>       } while (desc_addr != s->tx_queue[queue_index]);
>   }
>
>