On Mon, Aug 19, 2013 at 05:28:44PM +0800, yinyin wrote: > Hi,all: > in func virtqueue_get_avail_bytes, when found a indirect desc, we need > loop over it. > /* loop over the indirect descriptor table */ > indirect = 1; > max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc); > num_bufs = i = 0; > desc_pa = vring_desc_addr(desc_pa, i); > But, It init i to 0, then use i to update desc_pa. so we will always > get : > desc_pa = vring_desc_addr(desc_pa, 0); > is it right?or should we update desc_pa first, then init i to 0?
Is there a way to trigger a crash or erorr from a normal running guest? Affected devices: serial, rng, and net - they call virtqueue_get_avail_bytes() directly or indirectly. > diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c > index 09f62c6..554ae6f 100644 > --- a/hw/virtio/virtio.c > +++ b/hw/virtio/virtio.c > @@ -377,8 +377,8 @@ void virtqueue_get_avail_bytes(VirtQueue *vq, unsigned > int *in_bytes, > /* loop over the indirect descriptor table */ > indirect = 1; > max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc); > - num_bufs = i = 0; > desc_pa = vring_desc_addr(desc_pa, i); > + num_bufs = i = 0; I agree, this looks wrong. git-blame(1) doesn't reveal anything interesting. Looks like this bug has been around since 2009! Please resend your patch according to the guidelines here: http://qemu-project.org/Contribute/SubmitAPatch In particular, please include a Signed-off-by: Your Name <y...@email.org> line. Stefan
