From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:60266) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dmbWw-0007Pv-7d for qemu-devel@nongnu.org; Tue, 29 Aug 2017 04:05:51 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dmbWr-0003tm-70 for qemu-devel@nongnu.org; Tue, 29 Aug 2017 04:05:50 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:52403) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dmbWq-0003tN-Rb for qemu-devel@nongnu.org; Tue, 29 Aug 2017 04:05:45 -0400 Received: from pps.filterd (m0098393.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id v7T84RgR129099 for ; Tue, 29 Aug 2017 04:05:42 -0400 Received: from e35.co.us.ibm.com (e35.co.us.ibm.com [32.97.110.153]) by mx0a-001b2d01.pphosted.com with ESMTP id 2cmyn229uu-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Tue, 29 Aug 2017 04:05:42 -0400 Received: from localhost by e35.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 29 Aug 2017 02:05:41 -0600 References: <1503907487-2764-1-git-send-email-zyimin@linux.vnet.ibm.com> <1503907487-2764-2-git-send-email-zyimin@linux.vnet.ibm.com> <20170828165122.041b62b2.cohuck@redhat.com> <20170829100025.639b0ebb.cohuck@redhat.com> From: Yi Min Zhao Date: Tue, 29 Aug 2017 16:05:34 +0800 MIME-Version: 1.0 In-Reply-To: <20170829100025.639b0ebb.cohuck@redhat.com> Content-Type: text/plain; charset=utf-8; format=flowed Message-Id: <26569383-8576-f68f-4314-8dd5fad277c7@linux.vnet.ibm.com> Content-Transfer-Encoding: quoted-printable Subject: Re: [Qemu-devel] [PATCH 1/4] s390x/pci: fixup trap_msix() List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Cornelia Huck Cc: qemu-devel@nongnu.org, borntraeger@de.ibm.com, pasic@linux.vnet.ibm.com, pmorel@linux.vnet.ibm.com, agraf@suse.de, richard.henderson@linaro.org =E5=9C=A8 2017/8/29 =E4=B8=8B=E5=8D=884:00, Cornelia Huck =E5=86=99=E9=81= =93: > On Tue, 29 Aug 2017 12:32:17 +0800 > Yi Min Zhao wrote: > >> =E5=9C=A8 2017/8/28 =E4=B8=8B=E5=8D=8810:51, Cornelia Huck =E5=86=99=E9= =81=93: >>> On Mon, 28 Aug 2017 10:04:44 +0200 >>> Yi Min Zhao wrote: >>> =20 >>>> The function trap_msix() is to check if pcistg instruction would acc= ess >>>> msix table entries. The correct boundary condition should be >>>> [table_offset, table_offset+entries*entry_size). But the current >>>> condition calculated misses the last entry. So let's fixup it. >>>> >>>> Acked-by: Dong Jia Shi >>>> Reviewed-by: Pierre Morel >>>> Signed-off-by: Yi Min Zhao >>>> --- >>>> hw/s390x/s390-pci-inst.c | 4 ++-- >>>> 1 file changed, 2 insertions(+), 2 deletions(-) >>>> >>>> diff --git a/hw/s390x/s390-pci-inst.c b/hw/s390x/s390-pci-inst.c >>>> index b7beb8c36a..eba9ffb5f2 100644 >>>> --- a/hw/s390x/s390-pci-inst.c >>>> +++ b/hw/s390x/s390-pci-inst.c >>>> @@ -440,8 +440,8 @@ static int trap_msix(S390PCIBusDevice *pbdev, ui= nt64_t offset, uint8_t pcias) >>>> { >>>> if (pbdev->msix.available && pbdev->msix.table_bar =3D=3D pci= as && >>>> offset >=3D pbdev->msix.table_offset && >>>> - offset <=3D pbdev->msix.table_offset + >>>> - (pbdev->msix.entries - 1) * PCI_MSIX_ENTRY_SIZE) = { >>>> + offset < (pbdev->msix.table_offset + >>>> + pbdev->msix.entries * PCI_MSIX_ENTRY_SIZE)) { >>>> return 1; >>>> } else { >>>> return 0; >>> What happened before due to the miscalculation? Write to wrong memory >>> region? >>> >>> =20 >> We tried to plug virtio-net pci device but failed. After inspected, we >> found that the device uses two msix entries but the last one was >> missed. Then we cannot register interrupt successfully because we >> should call trap_msixi() in order to save some useful and arch >> information into msix message. But what about wrong memory region >> didn't happen. > So, the guest just was not able to use the second msix entry, but did > not get any exception? > > Yes, didn't get any exception. The guest just kept waiting for something (I guess that might be the response for interrupt register) and then the system had no response. What I can do is only destroy the guest.