From: Alejandro Jimenez <[email protected]> When processing a command, amdvi_cmdbuf_run() increments cmdbuf_head and writes it to the emulated MMIO register space before checking whether it has reached the end of the command buffer.
If the incremented value reaches the end of the buffer and the tail pointer is zero, the loop exits and the COMMAND_HEAD offset still contains an unwrapped value. There are no errors in command processing since internal cmdbuf_head state is always correctly updated, but the spec defines the CmdHeadPtr field in MMIO Offset 2000h Command Buffer Head Pointer Register as RW i.e. guest-visible, so it should be kept consistent. Wrap cmdbuf_head before updating COMMAND_HEAD so the MMIO-visible register always matches the internal command buffer head pointer position. Cc: [email protected] Signed-off-by: Alejandro Jimenez <[email protected]> Reviewed-by: Sairaj Kodilkar <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]> Message-Id: <[email protected]> (cherry picked from commit 3c98e446af825b5806c1e5cd1244b2431b15e884) Signed-off-by: Michael Tokarev <[email protected]> diff --git a/hw/i386/amd_iommu.c b/hw/i386/amd_iommu.c index 4405ce8988..8efebd3eea 100644 --- a/hw/i386/amd_iommu.c +++ b/hw/i386/amd_iommu.c @@ -583,12 +583,12 @@ static void amdvi_cmdbuf_run(AMDVIState *s) trace_amdvi_command_exec(s->cmdbuf_head, s->cmdbuf_tail, s->cmdbuf); amdvi_cmdbuf_exec(s); s->cmdbuf_head += AMDVI_COMMAND_SIZE; - amdvi_writeq_raw(s, AMDVI_MMIO_COMMAND_HEAD, s->cmdbuf_head); /* wrap head pointer */ if (s->cmdbuf_head >= s->cmdbuf_len * AMDVI_COMMAND_SIZE) { s->cmdbuf_head = 0; } + amdvi_writeq_raw(s, AMDVI_MMIO_COMMAND_HEAD, s->cmdbuf_head); } } -- 2.47.3
