From: Peter Maydell <peter.maydell@linaro.org>
To: Anthony Liguori <aliguori@amazon.com>
Cc: qemu-devel@nongnu.org
Subject: [Qemu-devel] [PULL 03/17] hw/net/stellaris_enet: Restructure tx_fifo code to avoid buffer overrun
Date: Tue, 13 May 2014 16:31:25 +0100 [thread overview]
Message-ID: <1399995099-26635-4-git-send-email-peter.maydell@linaro.org> (raw)
In-Reply-To: <1399995099-26635-1-git-send-email-peter.maydell@linaro.org>
The current tx_fifo code has a corner case where the guest can overrun
the fifo buffer: if automatic CRCs are disabled we allow the guest to write
the CRC word even if there isn't actually space for it in the FIFO.
The datasheet is unclear about exactly how the hardware deals with this
situation; the most plausible answer seems to be that the CRC word is
just lost.
Implement this fix by separating the "can we stuff another word in the
FIFO" logic from the "should we transmit the packet now" check. This
also moves us closer to the real hardware, which has a number of ways
it can be configured to trigger sending the packet, some of which we
don't implement.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Cc: qemu-stable@nongnu.org
---
hw/net/stellaris_enet.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c
index d04e6a4..bd844cd 100644
--- a/hw/net/stellaris_enet.c
+++ b/hw/net/stellaris_enet.c
@@ -253,10 +253,12 @@ static void stellaris_enet_write(void *opaque, hwaddr offset,
s->tx_fifo[s->tx_fifo_len++] = value >> 24;
}
} else {
- s->tx_fifo[s->tx_fifo_len++] = value;
- s->tx_fifo[s->tx_fifo_len++] = value >> 8;
- s->tx_fifo[s->tx_fifo_len++] = value >> 16;
- s->tx_fifo[s->tx_fifo_len++] = value >> 24;
+ if (s->tx_fifo_len + 4 <= ARRAY_SIZE(s->tx_fifo)) {
+ s->tx_fifo[s->tx_fifo_len++] = value;
+ s->tx_fifo[s->tx_fifo_len++] = value >> 8;
+ s->tx_fifo[s->tx_fifo_len++] = value >> 16;
+ s->tx_fifo[s->tx_fifo_len++] = value >> 24;
+ }
if (s->tx_fifo_len >= s->tx_frame_len) {
/* We don't implement explicit CRC, so just chop it off. */
if ((s->tctl & SE_TCTL_CRC) == 0)
--
1.9.2
next prev parent reply other threads:[~2014-05-13 15:31 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-13 15:31 [Qemu-devel] [PULL 00/17] target-arm queue Peter Maydell
2014-05-13 15:31 ` [Qemu-devel] [PULL 01/17] disas/libvixl: Update to libvixl 1.4 Peter Maydell
2014-05-13 15:31 ` [Qemu-devel] [PULL 02/17] savevm: Remove all the unneeded version_minimum_id_old (arm) Peter Maydell
2014-05-13 15:31 ` Peter Maydell [this message]
2014-05-13 15:31 ` [Qemu-devel] [PULL 04/17] hw/net/stellaris_enet: Correct handling of packet padding Peter Maydell
2014-05-13 15:31 ` [Qemu-devel] [PULL 05/17] hw/net/stellaris_enet: Rewrite tx fifo handling code Peter Maydell
2014-05-13 15:31 ` [Qemu-devel] [PULL 06/17] hw/net/stellaris_enet: Correctly implement the TR and THR registers Peter Maydell
2014-05-13 15:31 ` [Qemu-devel] [PULL 07/17] hw/net/stellaris_enet: Fix debug format strings Peter Maydell
2014-05-13 15:31 ` [Qemu-devel] [PULL 08/17] hw/net/stellaris_enet: Get rid of rx_fifo pointer Peter Maydell
2014-05-13 15:31 ` [Qemu-devel] [PULL 09/17] hw/net/stellaris_enet: Convert to vmstate Peter Maydell
2014-05-13 15:31 ` [Qemu-devel] [PULL 10/17] target-arm/helper.c: Don't flush the TLB if SCTLR is rewritten unchanged Peter Maydell
2014-05-13 15:31 ` [Qemu-devel] [PULL 11/17] hw/intc/allwinner-a10-pic: Add missing 'break' Peter Maydell
2014-05-13 15:31 ` [Qemu-devel] [PULL 12/17] hw/net/cadence_gem: Remove dead code Peter Maydell
2014-05-13 15:31 ` [Qemu-devel] [PULL 13/17] hw/arm/omap1: Avoid unintended sign extension writing omap_rtc YEARS_REG Peter Maydell
2014-05-13 15:31 ` [Qemu-devel] [PULL 14/17] hw/dma/omap_dma: Add (uint32_t) casts when shifting uint16_t by 16 Peter Maydell
2014-05-13 15:31 ` [Qemu-devel] [PULL 15/17] hw/timer/exynos4210_mct: Avoid overflow in exynos4210_ltick_recalc_count Peter Maydell
2014-05-13 15:31 ` [Qemu-devel] [PULL 16/17] hw/arm/stellaris: Correct handling of GPTM TAR register Peter Maydell
2014-05-13 15:31 ` [Qemu-devel] [PULL 17/17] hw/arm/omap_gpmc: Avoid buffer overrun filling prefetch FIFO Peter Maydell
2014-05-15 16:07 ` [Qemu-devel] [PULL 00/17] target-arm queue Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1399995099-26635-4-git-send-email-peter.maydell@linaro.org \
--to=peter.maydell@linaro.org \
--cc=aliguori@amazon.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).