From: "Cédric Le Goater" <clg@redhat.com>
To: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org, "Peter Maydell" <peter.maydell@linaro.org>,
"Jamin Lin" <jamin_lin@aspeedtech.com>,
"Kane Chen" <kane_chen@aspeedtech.com>,
"Cédric Le Goater" <clg@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>
Subject: [PATCH v2 2/3] ftgmac100: Improve DMA error handling
Date: Mon, 23 Mar 2026 13:55:44 +0100 [thread overview]
Message-ID: <20260323125545.577653-3-clg@redhat.com> (raw)
In-Reply-To: <20260323125545.577653-1-clg@redhat.com>
Currently, DMA memory operation errors in the ftgmac100 model are not
all tested and this can lead to a guest-triggerable denial of service
as described in https://gitlab.com/qemu-project/qemu/-/work_items/3335.
To fix this, check the return value of ftgmac100_write_bd() in the TX
path and exit the TX loop on error to prevent further processing. In
the event of a DMA error, also set FTGMAC100_INT_AHB_ERR interrupt
flag as appropriate.
The FTGMAC100_INT_AHB_ERR interrupt status bit only applies to the
AST2400 SoC; on newer Aspeed SoCs, it is a reserved bit.
Nevertheless, since it is supported by the Linux driver and it should
be safe to use in the QEMU implementation across all SoCs.
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3335
Reviewed-by: Jamin Lin <jamin_lin@aspeedtech.com>
Link: https://lore.kernel.org/qemu-devel/20260322215732.387383-3-clg@redhat.com
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Cédric Le Goater <clg@redhat.com>
---
hw/net/ftgmac100.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/hw/net/ftgmac100.c b/hw/net/ftgmac100.c
index d29f7dcd171b..2f05bba11d01 100644
--- a/hw/net/ftgmac100.c
+++ b/hw/net/ftgmac100.c
@@ -624,7 +624,10 @@ static void ftgmac100_do_tx(FTGMAC100State *s, uint64_t tx_ring,
bd.des0 &= ~FTGMAC100_TXDES0_TXDMA_OWN;
/* Write back the modified descriptor. */
- ftgmac100_write_bd(&bd, addr);
+ if (ftgmac100_write_bd(&bd, addr)) {
+ s->isr |= FTGMAC100_INT_AHB_ERR;
+ break;
+ }
/* Advance to the next descriptor. */
if (bd.des0 & s->txdes0_edotr) {
addr = tx_ring;
@@ -1134,7 +1137,10 @@ static ssize_t ftgmac100_receive(NetClientState *nc, const uint8_t *buf,
bd.des0 |= flags | FTGMAC100_RXDES0_LRS;
s->isr |= FTGMAC100_INT_RPKT_BUF;
}
- ftgmac100_write_bd(&bd, addr);
+ if (ftgmac100_write_bd(&bd, addr)) {
+ s->isr |= FTGMAC100_INT_AHB_ERR;
+ break;
+ }
if (bd.des0 & s->rxdes0_edorr) {
addr = s->rx_ring;
} else {
--
2.53.0
next prev parent reply other threads:[~2026-03-23 12:56 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-23 12:55 [PATCH v2 0/3] aspeed: Improve error handling and fix DMA issues Cédric Le Goater
2026-03-23 12:55 ` [PATCH v2 1/3] hw/ssi/aspeed_smc: Convert mem ops to read/write_with_attrs for error handling Cédric Le Goater
2026-03-23 12:55 ` Cédric Le Goater [this message]
2026-03-24 14:45 ` [PATCH v2 2/3] ftgmac100: Improve DMA " Michael Tokarev
2026-03-24 14:49 ` Cédric Le Goater
2026-03-23 12:55 ` [PATCH v2 3/3] hw/i2c/aspeed_i2c: Remove assert Cédric Le Goater
2026-03-23 13:21 ` [PATCH v2 0/3] aspeed: Improve error handling and fix DMA issues Cédric Le Goater
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260323125545.577653-3-clg@redhat.com \
--to=clg@redhat.com \
--cc=jamin_lin@aspeedtech.com \
--cc=kane_chen@aspeedtech.com \
--cc=peter.maydell@linaro.org \
--cc=philmd@linaro.org \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox