On 05/09/2016 13:13, P J P wrote: > +-- On Mon, 5 Sep 2016, Paolo Bonzini wrote --+ > | No, that's not what happens. chunk_size is set to sg.resid, after which: > | > | sg.dataAddr += chunk_size; > | data_length -= chunk_size; > | sg.resid -= chunk_size; > | > | The loop is reentered with sg.resid == 0, it calls into > | pvscsi_get_next_sg_elem and this sets sg.resid to a nonzero value. It's > | not an infinite loop. > > Yes, true; But 'pvscsi_get_next_sg_elem' does not return non-zero > 'sg.resid' > each time. In fact, it returns more zeros and thus the loop iterates > infinitely. When I ran it with 64 bit 'data_length' and without cast, after > some time, the inner loop gets stuck and does not seem to read non-zero > values > into 'sg.resid'.
pvscsi_get_next_sg_elem just reads 16 bytes from guest RAM, so I guess that's because you didn't set up the SG list correctly. QEMU indeed doesn't check for that, but that's a different bug. > Is there limit to number of SG elements? Without a public spec it's hard, but I guess 2048 is more than enough. Paolo
