From patchwork Sun Jan 24 08:51:49 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Kiszka <jan.kiszka@web.de>
X-Patchwork-Id: 43589
Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.gnu.org (lists.gnu.org [199.232.76.165])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by ozlabs.org (Postfix) with ESMTPS id E940DB7CBD
	for <incoming@patchwork.ozlabs.org>;
	Sun, 24 Jan 2010 19:57:40 +1100 (EST)
Received: from localhost ([127.0.0.1]:32795 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1NYyDj-0004dh-5v
	for incoming@patchwork.ozlabs.org; Sun, 24 Jan 2010 03:53:23 -0500
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1NYyCP-0004dC-30
	for qemu-devel@nongnu.org; Sun, 24 Jan 2010 03:52:01 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1NYyCK-0004as-JR
	for qemu-devel@nongnu.org; Sun, 24 Jan 2010 03:52:00 -0500
Received: from [199.232.76.173] (port=36410 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1NYyCK-0004ap-EI
	for qemu-devel@nongnu.org; Sun, 24 Jan 2010 03:51:56 -0500
Received: from fmmailgate01.web.de ([217.72.192.221]:34332)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <jan.kiszka@web.de>) id 1NYyCJ-0000a8-QG
	for qemu-devel@nongnu.org; Sun, 24 Jan 2010 03:51:56 -0500
Received: from smtp06.web.de (fmsmtp06.dlan.cinetic.de [172.20.5.172])
	by fmmailgate01.web.de (Postfix) with ESMTP id 780F01457D309;
	Sun, 24 Jan 2010 09:51:53 +0100 (CET)
Received: from [88.64.28.217] (helo=[192.168.1.10])
	by smtp06.web.de with asmtp (TLSv1:AES256-SHA:256)
	(WEB.DE 4.110 #314)
	id 1NYyCH-0002wQ-00; Sun, 24 Jan 2010 09:51:53 +0100
Message-ID: <4B5C0A25.40202@web.de>
Date: Sun, 24 Jan 2010 09:51:49 +0100
From: Jan Kiszka <jan.kiszka@web.de>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); de;
	rv:1.8.1.12) Gecko/20080226 SUSE/2.0.0.12-1.1 Thunderbird/2.0.0.12
	Mnenhy/0.7.5.666
MIME-Version: 1.0
To: malc <av1474@comtv.ru>
X-Enigmail-Version: 0.95.7
X-Sender: jan.kiszka@web.de
X-Provags-ID: V01U2FsdGVkX1/JEO192hlam7WJOjwUEUZFLkfZfcORhcf3u9M2
	t9E5MPE6z5lFv3am+56sZHjeHJQK6YRbISBJQlroT4ol8fa4CP p01oq7cIg=
X-detected-operating-system: by monty-python.gnu.org: GNU/Linux 2.4-2.6
Cc: Anthony Liguori <aliguori@us.ibm.com>, qemu-devel <qemu-devel@nongnu.org>
Subject: [Qemu-devel] [PATCH][STABLE] Musicpal: Fix descriptor walk in
	eth_send
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

Commit 930c86820e introduced a regression to eth_send: eth_tx_desc_put
manipulates the host's tx descriptor copy before writing it back, but
two lines down the descriptor is evaluated again, leaving us with an
invalid next address if host and guest endianness differ. So this was
the actual issue commit 2e87c5b937 tried to paper over.

Signed-off-by: Jan Kiszka <jan.kiszka@web.de>
---
 hw/musicpal.c |    7 +++----
 1 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/hw/musicpal.c b/hw/musicpal.c
index e424a7d..b8af15e 100644
--- a/hw/musicpal.c
+++ b/hw/musicpal.c
@@ -238,14 +238,13 @@ static void eth_send(mv88w8618_eth_state *s, int queue_index)
 {
     uint32_t desc_addr = s->tx_queue[queue_index];
     mv88w8618_tx_desc desc;
+    uint32_t next_desc;
     uint8_t buf[2048];
     int len;
 
-    if (!desc_addr) {
-        return;
-    }
     do {
         eth_tx_desc_get(desc_addr, &desc);
+        next_desc = desc.next;
         if (desc.cmdstat & MP_ETH_TX_OWN) {
             len = desc.bytes;
             if (len < 2048) {
@@ -256,7 +255,7 @@ static void eth_send(mv88w8618_eth_state *s, int queue_index)
             s->icr |= 1 << (MP_ETH_IRQ_TXLO_BIT - queue_index);
             eth_tx_desc_put(desc_addr, &desc);
         }
-        desc_addr = desc.next;
+        desc_addr = next_desc;
     } while (desc_addr != s->tx_queue[queue_index]);
 }