aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2013-08-30ide: Pass size to ide_bus_new()Andreas Färber
To be passed to qbus_create_inplace(). Reviewed-by: Wenchao Xia <xiawenc@linux.vnet.ibm.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
2013-08-30ipack: Pass size to ipack_bus_new_inplace()Andreas Färber
To be passed to qbus_create_inplace(). Simplify DEVICE() cast to avoid parent field access. Reviewed-by: Wenchao Xia <xiawenc@linux.vnet.ibm.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
2013-08-30intel-hda: Pass size to hda_codec_bus_init()Andreas Färber
To be passed to qbus_create_inplace(). Reviewed-by: Wenchao Xia <xiawenc@linux.vnet.ibm.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
2013-08-30qom: Fix object_initialize_with_type() argument name in documentationAndreas Färber
@obj -> @data. Reviewed-by: Wenchao Xia <xiawenc@linux.vnet.ibm.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
2013-08-30virtio: Remove unnecessary OBJECT() castsPeter Maydell
There's no need to cast the first argument of object_initialize() to Object. Remove these unnecessary casts. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Andreas Färber <afaerber@suse.de>
2013-08-30object: Fix typo in qom/object.hPeter Chubb
There's been a cut-and-paste error, it looks like, in the documentation in qom/object.h. Signed-off-by: Peter Chubb <peter.chubb@nicta.com.au> Signed-off-by: Andreas Färber <afaerber@suse.de>
2013-08-30Merge remote-tracking branch 'luiz/queue/qmp' into stagingAnthony Liguori
# By Wenchao Xia (15) and Stefan Weil (1) # Via Luiz Capitulino * luiz/queue/qmp: monitor: improve auto complete of "help" for single command in sub group monitor: allow "help" show message for single command in sub group monitor: support sub command in auto completion monitor: refine monitor_find_completion() monitor: support sub command in help monitor: refine parse_cmdline() monitor: code move for parse_cmdline() monitor: avoid direct use of global variable *mon_cmds monitor: split off monitor_data_init() monitor: call sortcmdlist() only one time monitor: avoid use of global *cur_mon in readline_completion() monitor: avoid use of global *cur_mon in monitor_find_completion() monitor: avoid use of global *cur_mon in block_completion_it() monitor: avoid use of global *cur_mon in file_completion() monitor: avoid use of global *cur_mon in cmd_completion() monitor: Add missing attributes to local function Message-id: 1377865357-6742-1-git-send-email-lcapitulino@redhat.com
2013-08-30Merge remote-tracking branch 'borntraeger/tags/kdump' into stagingAnthony Liguori
This is a set of patches dealing with kdump support for s390x/kvm. kdump on s390x uses subcode 1 of diagnose 0x308 to put the hardware in a defined state. This is different from a full reset, since it does not touch all CPU registers. These patches define the cpu resets, the subsystem reset a load function and also wires up the "nmi" command to issue a RESTART interrupt as defined in the z/Architecture principles of operation. This allows recent guest kernels with properly setup userspace to trigger kdump: - via guest crash - via nmi from the host # gpg: Signature made Fri 30 Aug 2013 07:19:18 AM CDT using RSA key ID B5A61C7C # gpg: Can't check signature: public key not found # By Christian Borntraeger (5) and Eugene (jno) Dvurechenski (2) # Via Christian Borntraeger * borntraeger/tags/kdump: s390: wire up nmi command to raise a RESTART interrupt on S390 s390: Implement load normal reset s390/cpu: split CPU reset into architectured functions s390: provide a cpu load normal function s390: provide I/O subsystem reset s390/kvm: basic implementation of diagnose 308 subcode 6 s390x/kvm: Fix switch/case indentation for handle_diag Message-id: 1377810649-47484-1-git-send-email-borntraeger@de.ibm.com
2013-08-30s390: wire up nmi command to raise a RESTART interrupt on S390Eugene (jno) Dvurechenski
There is the 'nmi' command that is used to trigger a guest dump via kdump feature on x86. s390 uses RESTART interrupt to trigger kdump. So, this patch provides a mean to use 'nmi' command on s390 to raise RESTART interrupt. The CPU to receive the RESTART interrupt is the "default" one. There is an infrastructure to select the "default" CPU using 'cpu' command. The 'info cpus' command can be used to see which one is the "default". In order to wire up the RESTART to 'nmi' command we had to: 1. implement the kvm_s390_cpu_restart function by exporting the existing code 2. implement s390_cpu_restart function as kvm-aware wrapper 3. modify the qmp_inject_nmi function to enable (for s390) the scan for "default" CPU and call s390_cpu_restart for it; 3. fix some messages. Signed-off-by: Eugene (jno) Dvurechenski <jno@linux.vnet.ibm.com> Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> Acked-by: Alexander Graf <agraf@suse.de>
2013-08-30s390: Implement load normal resetChristian Borntraeger
kdump on s390 uses a load normal reset to bring the system in a defined state by doing a subsystem reset. The issuing CPUs will have an initial CPU reset, all other CPUs will have a CPU reset as defined in POP (no register content will change). Implement this as architectured. Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
2013-08-30s390/cpu: split CPU reset into architectured functionsChristian Borntraeger
s390 provides several CPU resets: - CPU reset, clears interrupts, stop processing, clears TLB, but does not touch registers - initial CPU reset, like CPU reset, but also clears PSW, prefix, FPC, timer and control registers. It does not touch gprs, fprs and acrs (!) - Power on reset: the full monty wire up CPUClass reset to the full monty, but provide the lesser resets as part of S390CPUClass. Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
2013-08-30monitor: improve auto complete of "help" for single command in sub groupWenchao Xia
Now special case "help *" in auto completion can work with sub commands, such as "help info u*". Signed-off-by: Wenchao Xia <xiawenc@linux.vnet.ibm.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2013-08-30monitor: allow "help" show message for single command in sub groupWenchao Xia
A new parameter type 'S' is introduced to allow user input any string. "help info block" works normal now. Signed-off-by: Wenchao Xia <xiawenc@linux.vnet.ibm.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2013-08-30monitor: support sub command in auto completionWenchao Xia
This patch allows auto completion work normal for sub command case, "info block [DEVICE]" can auto complete now, by re-enter the completion function. In original code "info" is treated as a special case, now it is treated as a sub command group, global variable info_cmds is not used any more. "help" command is still treated as a special case, since it is not a sub command group but want to auto complete command in root command table. Signed-off-by: Wenchao Xia <xiawenc@linux.vnet.ibm.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2013-08-30monitor: refine monitor_find_completion()Wenchao Xia
In order to support sub command in auto completion, a reentrant function is needed, so monitor_find_completion() is split into two parts. The first part does parsing of user input which need to be done only once, the second part does the auto completion job according to the parsing result, which contains the necessary code to support sub command and works as the reentrant function. The global "info_cmds" is still used in second part, which will be replaced by sub command code later. Signed-off-by: Wenchao Xia <xiawenc@linux.vnet.ibm.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2013-08-30monitor: support sub command in helpWenchao Xia
The old code in help_cmd() uses global 'info_cmds' and treats it as a special case. Actually 'info_cmds' is a sub command group of 'mon_cmds', in order to avoid direct use of it, help_cmd() needs to change its work mechanism to support sub command and not treat it as a special case any more. To support sub command, help_cmd() will first parse the input and then call help_cmd_dump(), which works as a reentrant function. When it meets a sub command, it simply enters the function again. Since help dumping needs to know whole input to printf full help message include prefix, for example, "help info block" need to printf prefix "info", so help_cmd_dump() takes all args from input and extra parameter arg_index to identify the progress. Another function help_cmd_dump_one() is introduced to printf the prefix and command's help message. Now help supports sub command, so later if another sub command group is added in any depth, help will automatically work for it. Still "help info block" will show error since command parser reject additional parameter, which can be improved later. "log" is still treated as a special case. Signed-off-by: Wenchao Xia <xiawenc@linux.vnet.ibm.com> Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2013-08-30monitor: refine parse_cmdline()Wenchao Xia
Since this function will be used by help_cmd() later, so improve it to make it more generic and easier to use. free_cmdline_args() is added too as paired function to free the result. One change of this function is that, when the valid args in input exceed the limit of MAX_ARGS, it fails now, instead of return with MAX_ARGS of parsed args in old code. This should not impact much since it is rare that user input many args in monitor's "help" and auto complete scenario. Signed-off-by: Wenchao Xia <xiawenc@linux.vnet.ibm.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2013-08-30monitor: code move for parse_cmdline()Wenchao Xia
help_cmd() need this function later, so move it. get_str() is called by parse_cmdline() so it is moved also. Some code style error reported by check script, is also fixed. Signed-off-by: Wenchao Xia <xiawenc@linux.vnet.ibm.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2013-08-30monitor: avoid direct use of global variable *mon_cmdsWenchao Xia
New member *cmd_table is added in structure Monitor to avoid direct usage of *mon_cmds. Now monitor have an associated command table, when global variable *info_cmds is also discarded, structure Monitor would gain full control about how to deal with user input. Signed-off-by: Wenchao Xia <xiawenc@linux.vnet.ibm.com> Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2013-08-30monitor: split off monitor_data_init()Wenchao Xia
In qmp_human_monitor_command(), the monitor need to initialized for basic functionalities, and later more init code will be added, so split off this function. Note that it is different with QMP mode monitor which accept json string from monitor's input, qmp_human_monitor_command() retrieve the human style command from QMP input, then send the command to a normal mode monitor. Signed-off-by: Wenchao Xia <xiawenc@linux.vnet.ibm.com> Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2013-08-30monitor: call sortcmdlist() only one timeWenchao Xia
It doesn't need to be done for every monitor, so change it. Signed-off-by: Wenchao Xia <xiawenc@linux.vnet.ibm.com> Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2013-08-30monitor: avoid use of global *cur_mon in readline_completion()Wenchao Xia
Now all completion functions do not use *cur_mon any more, instead they use rs->mon. In short, structure ReadLineState decide where the complete action would be taken now. Tested with the case that qemu have two telnet monitors, auto completion function works normal. Signed-off-by: Wenchao Xia <xiawenc@linux.vnet.ibm.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2013-08-30monitor: avoid use of global *cur_mon in monitor_find_completion()Wenchao Xia
Parameter *mon is added, and local variable *mon added in previous patch is removed. The caller readline_completion(), pass rs->mon as value, which should be initialized in readline_init() called by monitor_init(). Signed-off-by: Wenchao Xia <xiawenc@linux.vnet.ibm.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2013-08-30monitor: avoid use of global *cur_mon in block_completion_it()Wenchao Xia
Signed-off-by: Wenchao Xia <xiawenc@linux.vnet.ibm.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2013-08-30monitor: avoid use of global *cur_mon in file_completion()Wenchao Xia
Signed-off-by: Wenchao Xia <xiawenc@linux.vnet.ibm.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2013-08-30monitor: avoid use of global *cur_mon in cmd_completion()Wenchao Xia
A new local variable *mon is added in monitor_find_completion() to make compile pass, which will be removed later in conversion patch for monitor_find_completion(). Signed-off-by: Wenchao Xia <xiawenc@linux.vnet.ibm.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2013-08-30monitor: Add missing attributes to local functionStefan Weil
Function expr_error gets a format string and variable arguments like printf. It also never returns. Add the necessary attributes. Signed-off-by: Stefan Weil <sw@weilnetz.de> Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
2013-08-30s390: provide a cpu load normal functionChristian Borntraeger
Some code needs to perform an IPL-like bootup that mimics the ESA (31bit) restart. Provide a cpu class method that does so. Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> Acked-by: Alexander Graf <agraf@suse.de>
2013-08-30s390: provide I/O subsystem resetChristian Borntraeger
Provide a function that resets the I/O subsystem. Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> Acked-by: Alexander Graf <agraf@suse.de>
2013-08-30s390/kvm: basic implementation of diagnose 308 subcode 6Eugene (jno) Dvurechenski
Linux uses a check for subcode 6 to decide if other subcodes are available. Provide a minimal implementation for subcode 6, as well as for subcode 5. Signed-off-by: Eugene (jno) Dvurechenski <jno@linux.vnet.ibm.com> Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com> Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> [Move code from kvm.c into misc_helper.c]
2013-08-30s390x/kvm: Fix switch/case indentation for handle_diagChristian Borntraeger
This alignes case statements to switch statements in the handle_diag function as mandated by coding style. Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
2013-08-29Merge remote-tracking branch 'qemu-kvm/uq/master' into stable-1.5Anthony Liguori
* qemu-kvm/uq/master: kvm-stub: fix compilation kvm: shorten the parameter list for get_real_device() kvm: i386: fix LAPIC TSC deadline timer save/restore kvm-all.c: max_cpus should not exceed KVM vcpu limit kvm: Simplify kvm_handle_io kvm: x86: fix setting IA32_FEATURE_CONTROL with nested VMX disabled kvm: add KVM_IRQFD_FLAG_RESAMPLE support kvm: migrate vPMU state target-i386: remove tabs from target-i386/cpu.h Initialize IA32_FEATURE_CONTROL MSR in reset and migration Conflicts: target-i386/cpu.h target-i386/kvm.c aliguori: fixup trivial conflicts due to whitespace and added cpu argument Signed-off-by: Anthony Liguori <anthony@codemonkey.ws>
2013-08-29Merge remote-tracking branch 'sweil/mingw' into stable-1.5Anthony Liguori
# By Stefan Weil # Via Stefan Weil * sweil/mingw: gtk: Remove unused include statements which are not portable w32: Add an icon resource w32: Fix broken out-of-tree builds (missing version.o) Message-id: 1377607132-21336-1-git-send-email-sw@weilnetz.de Signed-off-by: Anthony Liguori <anthony@codemonkey.ws>
2013-08-29Merge remote-tracking branch 'mst/tags/for_anthony' into stable-1.5Anthony Liguori
pc,pci,virtio fixes and cleanups This includes pc and pci cleanups, future-proofing of ROM files, and a virtio bugfix correcting splice on virtio console. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> # gpg: Signature made Mon 26 Aug 2013 01:34:20 AM CDT using RSA key ID D28D5469 # gpg: Can't check signature: public key not found # By Markus Armbruster (5) and others # Via Michael S. Tsirkin * mst/tags/for_anthony: virtio: virtqueue_get_avail_bytes: fix desc_pa when loop over the indirect descriptor table pc_piix: Kill pc_init1() memory region args pc: pc_compat_1_4() now can call pc_compat_1_5() pc: Create pc_compat_*() functions pc: Kill pc_init_pci_1_0() pc: Don't explode QEMUMachineInitArgs into local variables needlessly pc: Don't prematurely explode QEMUMachineInitArgs ppc: Don't duplicate QEMUMachineInitArgs in PPCE500Params ppc: Don't explode QEMUMachineInitArgs into local variables needlessly sun4: Don't prematurely explode QEMUMachineInitArgs q35: Add PCIe switch to example q35 configuration loader: store FW CFG ROM files in RAM arch_init: align MR size to target page size pc: cleanup 1.4 compat support Message-id: 1377535318-30491-1-git-send-email-mst@redhat.com
2013-08-29tcg-i386: Remove abort from GETPC_LDSTRichard Henderson
Indeed, remove it entirely and remove the is_tcg_gen_code check from GETPC_EXT. Fixes https://bugs.launchpad.net/qemu/+bug/1218098 wherein a call to a "normal" helper function performed a sequence of tail calls all the way into the memory helper functions, leading to a stack frame in which the memory helper function appeared to be called directly from tcg. Signed-off-by: Richard Henderson <rth@twiddle.net>
2013-08-28target-mips: fix get_physical_address() #if 0 build errorJames Hogan
In get_physical_address() is a qemu_log() call inside an #if 0 block. When enabled the following build error is hit: target-mips/helper.c In function ‘get_physical_address’: target-mips/helper.c:220:13: error: format ‘%x’ expects argument of type ‘unsigned int’, but argument 5 has type ‘hwaddr’ [-Werror=format] Fix the *physical (hwaddr) formatting by using "%"HWADDR_PRIx instead of TARGET_FMT_lx. Signed-off-by: James Hogan <james.hogan@imgtec.com> Cc: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Yongbok Kim <yongbok.kim@imgtec.com> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
2013-08-28kvm-stub: fix compilationPaolo Bonzini
Non-KVM targets fail compilation on the uq/master branch. Fix the prototype of kvm_irqchip_add_irqfd_notifier to match the one in kvm-all.c. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Gleb Natapov <gleb@redhat.com>
2013-08-27gtk: Remove unused include statements which are not portableStefan Weil
These include files don't exist for MinGW and are not needed for Linux (and hopefully for other hosts as well), so remove them. Signed-off-by: Stefan Weil <sw@weilnetz.de>
2013-08-27w32: Add an icon resourceStefan Weil
The QEMU mascot which was already used for the NSIS installer is now used for all QEMU executables. Signed-off-by: Stefan Weil <sw@weilnetz.de>
2013-08-27w32: Fix broken out-of-tree builds (missing version.o)Stefan Weil
Commit 0b516ef0dfad9a7b34c675c98e8ec92ab4d38466 added version.o to all executables, but broke out-of-tree builds: for those builds the pattern rule %.o: %.rc from rules.mak does not match, so version.o was no longer built. Adding explicit build rules fixes this. Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: Stefan Weil <sw@weilnetz.de> Tested-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2013-08-26tcg-i386: Use new return-argument ld/st helpersRichard Henderson
Discontinue the jump-around-jump-to-jump scheme, trading it for a single immediate move instruction. The two extra jumps always consume 7 bytes, whereas the immediate move is either 5 or 7 bytes depending on where the code_gen_buffer gets located. Signed-off-by: Richard Henderson <rth@twiddle.net>
2013-08-26tcg: Tidy softmmu_template.hRichard Henderson
Avoid a loop in the tlb_fill path; the fill will either succeed or generate an exception. Inline the slow_ld/st function; it was a complete copy of the main helper except for the actual cross-page unaligned code, and the compiler was inlining it anyway. Add unlikely markers optimizing for the most common case of simple tlb miss. Make sure the compiler can optimize away the unaligned paths for a 1 byte access. Reviewed-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Richard Henderson <rth@twiddle.net>
2013-08-26tcg: Add mmu helpers that take a return address argumentRichard Henderson
Allow the code that tcg generates to be less obtuse, passing in the return address directly instead of computing it in the helper. Maintain the old entrance point unchanged as an alternate entry point. Delete the helper_st*_cmmu prototypes; the implementations did not exist. Signed-off-by: Richard Henderson <rth@twiddle.net>
2013-08-26tcg-i386: Tidy qemu_ld/st slow pathRichard Henderson
Use existing stack space for arguments; don't push/pop. Use less ifdefs and more C ifs. Signed-off-by: Richard Henderson <rth@twiddle.net>
2013-08-26tcg-i386: Try pc-relative lea for constant formationRichard Henderson
Use a 7 byte lea before the ultimate 10 byte movq. Signed-off-by: Richard Henderson <rth@twiddle.net>
2013-08-26tcg-i386: Add and use tcg_out64Richard Henderson
No point in splitting the write into 32-bit pieces. Reviewed-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Richard Henderson <rth@twiddle.net>
2013-08-26tcg: Tidy generated code for tcg_outNRichard Henderson
Aliasing was forcing s->code_ptr to be re-read after the store. Keep the pointer in a local variable to help the compiler. Signed-off-by: Richard Henderson <rth@twiddle.net>
2013-08-26Merge remote-tracking branch 'stefanha/block' into stagingAnthony Liguori
# By Alex Bligh (32) and others # Via Stefan Hajnoczi * stefanha/block: (42 commits) win32-aio: drop win32_aio_flush_cb() aio-win32: replace incorrect AioHandler->opaque usage with ->e aio / timers: remove dummy_io_handler_flush from tests/test-aio.c aio / timers: Remove legacy interface aio / timers: Switch entire codebase to the new timer API aio / timers: Add scripts/switch-timer-api aio / timers: Add test harness for AioContext timers aio / timers: convert block_job_sleep_ns and co_sleep_ns to new API aio / timers: Convert rtc_clock to be a QEMUClockType aio / timers: Remove main_loop_timerlist aio / timers: Rearrange timer.h & make legacy functions call non-legacy aio / timers: Add qemu_clock_get_ms and qemu_clock_get_ms aio / timers: Remove legacy qemu_clock_deadline & qemu_timerlist_deadline aio / timers: Remove alarm timers aio / timers: Add documentation and new format calls aio / timers: Use all timerlists in icount warp calculations aio / timers: Introduce new API timer_new and friends aio / timers: On timer modification, qemu_notify or aio_notify aio / timers: Convert mainloop to use timeout aio / timers: Convert aio_poll to use AioContext timers' deadline ... Message-id: 1377202298-22896-1-git-send-email-stefanha@redhat.com Signed-off-by: Anthony Liguori <anthony@codemonkey.ws>
2013-08-26Merge remote-tracking branch 'afaerber/tags/0.15-maintainer-for-anthony' ↵Anthony Liguori
into staging MAINTAINERS update for stable-0.15 # gpg: Signature made Thu 22 Aug 2013 10:59:31 AM CDT using RSA key ID 3E7E013F # gpg: Can't check signature: public key not found # By Andreas Färber # Via Andreas Färber * afaerber/tags/0.15-maintainer-for-anthony: MAINTAINERS: Take over 0.15 maintenance
2013-08-25virtio: virtqueue_get_avail_bytes: fix desc_pa when loop over the indirect ↵yinyin
descriptor table virtqueue_get_avail_bytes: when found a indirect desc, we need loop over it. /* loop over the indirect descriptor table */ indirect = 1; max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc); num_bufs = i = 0; desc_pa = vring_desc_addr(desc_pa, i); But, It init i to 0, then use i to update desc_pa. so we will always get: desc_pa = vring_desc_addr(desc_pa, 0); the last two line should swap. Cc: qemu-stable@nongnu.org Signed-off-by: Yin Yin <yin.yin@cs2c.com.cn> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>