On (Tue) 03 Sep 2013 [14:15:55], Michael S. Tsirkin wrote:
> On Tue, Sep 03, 2013 at 04:40:21PM +0530, Amit Shah wrote:
> > On (Mon) 19 Aug 2013 [16:30:54], Stefan Hajnoczi wrote:
> > > On Mon, Aug 19, 2013 at 05:28:44PM +0800, yinyin wrote:
> > > > Hi,all:
> > > > in func virtqueue_get_avail_bytes, when found a indirect desc,
> > > > we need loop over it.
> > > > /* loop over the indirect descriptor table */
> > > > indirect = 1;
> > > > max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
> > > > num_bufs = i = 0;
> > > > desc_pa = vring_desc_addr(desc_pa, i);
> > > > But, It init i to 0, then use i to update desc_pa. so we will
> > > > always get :
> > > > desc_pa = vring_desc_addr(desc_pa, 0);
> > > > is it right?or should we update desc_pa first, then init i to 0?
> > >
> > > Is there a way to trigger a crash or erorr from a normal running guest?
> > >
> > > Affected devices: serial, rng, and net - they call
> > > virtqueue_get_avail_bytes() directly or indirectly.
> > >
> > > > diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
> > > > index 09f62c6..554ae6f 100644
> > > > --- a/hw/virtio/virtio.c
> > > > +++ b/hw/virtio/virtio.c
> > > > @@ -377,8 +377,8 @@ void virtqueue_get_avail_bytes(VirtQueue *vq,
> > > > unsigned int *in_bytes,
> > > > /* loop over the indirect descriptor table */
> > > > indirect = 1;
> > > > max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
> > > > - num_bufs = i = 0;
> > > > desc_pa = vring_desc_addr(desc_pa, i);
> > > > + num_bufs = i = 0;
> > >
> > > I agree, this looks wrong. git-blame(1) doesn't reveal anything
> > > interesting. Looks like this bug has been around since 2009!
> >
> > Hm, why hasn't this bitten anyone yet?
>
> net uses virtqueue_get_avail_bytes for RX only, and drivers
> only post single buffers there.
>
> Same seems to be true for other devices?
Yes, we were lucky.
Amit
