From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:50573)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1ZoNCc-0002gM-FN
	for qemu-devel@nongnu.org; Mon, 19 Oct 2015 23:03:07 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1ZoNCX-00053a-Gw
	for qemu-devel@nongnu.org; Mon, 19 Oct 2015 23:03:06 -0400
Received: from mx1.redhat.com ([209.132.183.28]:41192)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1ZoNCX-00053W-BV
	for qemu-devel@nongnu.org; Mon, 19 Oct 2015 23:03:01 -0400
References: <alpine.LFD.2.20.1510161627560.31779@wniryva>
	<5620F082.5040007@redhat.com>
	<alpine.LFD.2.20.1510162247310.4332@wniryva>
From: Jason Wang <jasowang@redhat.com>
Message-ID: <5625AEE0.7070908@redhat.com>
Date: Tue, 20 Oct 2015 11:02:56 +0800
MIME-Version: 1.0
In-Reply-To: <alpine.LFD.2.20.1510162247310.4332@wniryva>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH] eepro100: prevent an infinite loop over
 same command block
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: P J P <ppandit@redhat.com>, Paolo Bonzini <pbonzini@redhat.com>
Cc: Qinghao Tang <luodalongde@gmail.com>, qemu-devel@nongnu.org



On 10/17/2015 01:19 AM, P J P wrote:
> +-- On Fri, 16 Oct 2015, Paolo Bonzini wrote --+
> | > +        if (s->tx.link == s->cu_offset)
> | > +            break;
> | 
> | Please update the patch to conform to QEMU's coding standards; braces
> | are required even around single-statement blocks.
>
>   Done. Please see an updated patch below.
>
> ===
> From bbf7b8914a984b09242e1cafc258bd71cecc47c8 Mon Sep 17 00:00:00 2001
> From: Prasad J Pandit <pjp@fedoraproject.org>
> Date: Fri, 16 Oct 2015 22:43:29 +0530
> Subject: eepro100: prevent an infinite loop over same command block
>
> action_command() routine executes a chain of commands located
> in the Command Block List(CBL). Each Command Block(CB) has a
> link to the next CB in the list, given by 's->tx.link'.
> This is used in conjunction with the base address 's->cu_base'.
>
> An infinite loop unfolds if the 'link' to the next CB is
> same as the previous one, the loop ends up executing the same
> command over and over again.
>
> Reported-by: Qinghao Tang <luodalongde@gmail.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
>  hw/net/eepro100.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
> index 60333b7..0e4ad4e 100644
> --- a/hw/net/eepro100.c
> +++ b/hw/net/eepro100.c
> @@ -863,6 +863,9 @@ static void action_command(EEPRO100State *s)
>          uint16_t ok_status = STATUS_OK;
>          s->cb_address = s->cu_base + s->cu_offset;
>          read_cb(s);
> +        if (s->tx.link == s->cu_offset) {
> +            break;
> +        }
>          bit_el = ((s->tx.command & COMMAND_EL) != 0);
>          bit_s = ((s->tx.command & COMMAND_S) != 0);
>          bit_i = ((s->tx.command & COMMAND_I) != 0);

Can this survive if we had a chain like?

A->B->A

If not, looks like we need to limit the maximum number of commands in a
chain? (e.g 256)