On 04/24/2018 05:20 PM, Takashi Iwai wrote:
On Mon, 16 Apr 2018 08:24:51 +0200, Oleksandr Andrushchenko wrote:
+static irqreturn_t evtchnl_interrupt_req(int irq, void *dev_id) +{
- struct xen_snd_front_evtchnl *channel = dev_id;
- struct xen_snd_front_info *front_info = channel->front_info;
- struct xensnd_resp *resp;
- RING_IDX i, rp;
- unsigned long flags;
- if (unlikely(channel->state != EVTCHNL_STATE_CONNECTED))
return IRQ_HANDLED;- spin_lock_irqsave(&front_info->io_lock, flags);
+again:
- rp = channel->u.req.ring.sring->rsp_prod;
- /* ensure we see queued responses up to rp */
- rmb();
- for (i = channel->u.req.ring.rsp_cons; i != rp; i++) {
I'm not familiar with Xen stuff in general, but through a quick glance, this kind of code worries me a bit.
If channel->u.req.ring.rsp_cons has a bogus number, this may lead to a very long loop, no? Better to have a sanity check of the ring buffer size.
In this loop I have: resp = RING_GET_RESPONSE(&channel->u.req.ring, i); and the RING_GET_RESPONSE macro is designed in the way that it wraps around when *i* in the question gets bigger than the ring size:
#define RING_GET_REQUEST(_r, _idx) \ (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].req))
So, even if the counter has a bogus number it will not last long
+static irqreturn_t evtchnl_interrupt_evt(int irq, void *dev_id) +{
- struct xen_snd_front_evtchnl *channel = dev_id;
- struct xen_snd_front_info *front_info = channel->front_info;
- struct xensnd_event_page *page = channel->u.evt.page;
- u32 cons, prod;
- unsigned long flags;
- if (unlikely(channel->state != EVTCHNL_STATE_CONNECTED))
return IRQ_HANDLED;- spin_lock_irqsave(&front_info->io_lock, flags);
- prod = page->in_prod;
- /* ensure we see ring contents up to prod */
- virt_rmb();
- if (prod == page->in_cons)
goto out;- for (cons = page->in_cons; cons != prod; cons++) {
Ditto.
Same as above
thanks,
Takashi
Thank you, Oleksandr