[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [qemu-devel]question on virtqueue_get_avail_bytes
From: |
Amit Shah |
Subject: |
Re: [Qemu-devel] [qemu-devel]question on virtqueue_get_avail_bytes |
Date: |
Tue, 3 Sep 2013 16:40:21 +0530 |
On (Mon) 19 Aug 2013 [16:30:54], Stefan Hajnoczi wrote:
> On Mon, Aug 19, 2013 at 05:28:44PM +0800, yinyin wrote:
> > Hi,all:
> > in func virtqueue_get_avail_bytes, when found a indirect desc, we need
> > loop over it.
> > /* loop over the indirect descriptor table */
> > indirect = 1;
> > max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
> > num_bufs = i = 0;
> > desc_pa = vring_desc_addr(desc_pa, i);
> > But, It init i to 0, then use i to update desc_pa. so we will always
> > get :
> > desc_pa = vring_desc_addr(desc_pa, 0);
> > is it right?or should we update desc_pa first, then init i to 0?
>
> Is there a way to trigger a crash or erorr from a normal running guest?
>
> Affected devices: serial, rng, and net - they call
> virtqueue_get_avail_bytes() directly or indirectly.
>
> > diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
> > index 09f62c6..554ae6f 100644
> > --- a/hw/virtio/virtio.c
> > +++ b/hw/virtio/virtio.c
> > @@ -377,8 +377,8 @@ void virtqueue_get_avail_bytes(VirtQueue *vq, unsigned
> > int *in_bytes,
> > /* loop over the indirect descriptor table */
> > indirect = 1;
> > max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
> > - num_bufs = i = 0;
> > desc_pa = vring_desc_addr(desc_pa, i);
> > + num_bufs = i = 0;
>
> I agree, this looks wrong. git-blame(1) doesn't reveal anything
> interesting. Looks like this bug has been around since 2009!
Hm, why hasn't this bitten anyone yet?
Amit
- Re: [Qemu-devel] [qemu-devel]question on virtqueue_get_avail_bytes,
Amit Shah <=