[Qemu-devel] [PATCH 2/2] slirp: fix packet requeue issue in batchq

Wed, 15 Feb 2012 00:13:57 -0800 

From: Zhi Yong Wu <wu...@linux.vnet.ibm.com>

This patch fixes the slirp crash in current QEMU upstream.

Signed-off-by: Zhi Yong Wu <wu...@linux.vnet.ibm.com>
---
 slirp/if.c   |   37 ++++++++++++++++++++++++++++++-------
 slirp/mbuf.c |    3 +--
 2 files changed, 31 insertions(+), 9 deletions(-)

diff --git a/slirp/if.c b/slirp/if.c
index 8e0cac2..f7f8577 100644
--- a/slirp/if.c
+++ b/slirp/if.c
@@ -20,8 +20,15 @@ ifs_insque(struct mbuf *ifm, struct mbuf *ifmhead)
 static void
 ifs_remque(struct mbuf *ifm)
 {
-       ifm->ifs_prev->ifs_next = ifm->ifs_next;
-       ifm->ifs_next->ifs_prev = ifm->ifs_prev;
+        if (ifm->ifs_next->ifs_next == ifm
+            && ifm->ifs_next->ifs_prev == ifm) {
+            ifs_init(ifm->ifs_next);
+        } else {
+            ifm->ifs_prev->ifs_next = ifm->ifs_next;
+            ifm->ifs_next->ifs_prev = ifm->ifs_prev;
+        }
+
+        ifs_init(ifm);
 }
 
 void
@@ -154,14 +161,18 @@ if_start(Slirp *slirp)
 {
     uint64_t now = qemu_get_clock_ns(rt_clock);
     int requeued = 0;
-       struct mbuf *ifm, *ifqt;
+    struct mbuf *ifm, *ifqt, *ifm_next;
 
-       DEBUG_CALL("if_start");
+    DEBUG_CALL("if_start");
 
-       if (slirp->if_queued == 0)
-          return; /* Nothing to do */
+    if (slirp->if_queued == 0)
+        return; /* Nothing to do */
+
+    slirp->next_m = &slirp->if_batchq;
 
  again:
+        ifm_next = NULL;
+
         /* check if we can really output */
         if (!slirp_can_output(slirp->opaque))
             return;
@@ -190,6 +201,7 @@ if_start(Slirp *slirp)
        /* If there are more packets for this session, re-queue them */
        if (ifm->ifs_next != /* ifm->ifs_prev != */ ifm) {
                insque(ifm->ifs_next, ifqt);
+                ifm_next = ifm->ifs_next;
                ifs_remque(ifm);
        }
 
@@ -209,7 +221,18 @@ if_start(Slirp *slirp)
                 m_free(ifm);
             } else {
                 /* re-queue */
-                insque(ifm, ifqt);
+                if (ifm_next) {
+                    /*restore the original state of bachq*/
+                    remque(ifm_next);
+                    insque(ifm, ifqt);
+                    ifm_next->ifs_prev->ifs_next = ifm;
+                    ifm->ifs_prev = ifm_next->ifs_prev;
+                    ifm->ifs_next = ifm_next;
+                    ifm_next->ifs_prev = ifm;
+                } else {
+                    insque(ifm, ifqt);
+                }
+
                 requeued++;
             }
         }
diff --git a/slirp/mbuf.c b/slirp/mbuf.c
index c699c75..f429c0a 100644
--- a/slirp/mbuf.c
+++ b/slirp/mbuf.c
@@ -68,8 +68,7 @@ m_get(Slirp *slirp)
        m->m_size = SLIRP_MSIZE - offsetof(struct mbuf, m_dat);
        m->m_data = m->m_dat;
        m->m_len = 0;
-        m->m_nextpkt = NULL;
-        m->m_prevpkt = NULL;
+        ifs_init(m);
         m->arp_requested = false;
         m->expiration_date = (uint64_t)-1;
 end_error:
-- 
1.7.6

Reply via email to