From: Michael Roth <mdroth@linux.vnet.ibm.com>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org
Subject: [Qemu-devel] [PATCH 001/108] hw/net/stellaris_enet: Restructure tx_fifo code to avoid buffer overrun
Date: Wed, 6 Aug 2014 15:38:11 -0500 [thread overview]
Message-ID: <1407357598-21541-2-git-send-email-mdroth@linux.vnet.ibm.com> (raw)
In-Reply-To: <1407357598-21541-1-git-send-email-mdroth@linux.vnet.ibm.com>
From: Peter Maydell <peter.maydell@linaro.org>
The current tx_fifo code has a corner case where the guest can overrun
the fifo buffer: if automatic CRCs are disabled we allow the guest to write
the CRC word even if there isn't actually space for it in the FIFO.
The datasheet is unclear about exactly how the hardware deals with this
situation; the most plausible answer seems to be that the CRC word is
just lost.
Implement this fix by separating the "can we stuff another word in the
FIFO" logic from the "should we transmit the packet now" check. This
also moves us closer to the real hardware, which has a number of ways
it can be configured to trigger sending the packet, some of which we
don't implement.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Cc: qemu-stable@nongnu.org
(cherry picked from commit 5c10495ab1546d5d12b51a97817051e9ec98d0f6)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
hw/net/stellaris_enet.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c
index d04e6a4..bd844cd 100644
--- a/hw/net/stellaris_enet.c
+++ b/hw/net/stellaris_enet.c
@@ -253,10 +253,12 @@ static void stellaris_enet_write(void *opaque, hwaddr offset,
s->tx_fifo[s->tx_fifo_len++] = value >> 24;
}
} else {
- s->tx_fifo[s->tx_fifo_len++] = value;
- s->tx_fifo[s->tx_fifo_len++] = value >> 8;
- s->tx_fifo[s->tx_fifo_len++] = value >> 16;
- s->tx_fifo[s->tx_fifo_len++] = value >> 24;
+ if (s->tx_fifo_len + 4 <= ARRAY_SIZE(s->tx_fifo)) {
+ s->tx_fifo[s->tx_fifo_len++] = value;
+ s->tx_fifo[s->tx_fifo_len++] = value >> 8;
+ s->tx_fifo[s->tx_fifo_len++] = value >> 16;
+ s->tx_fifo[s->tx_fifo_len++] = value >> 24;
+ }
if (s->tx_fifo_len >= s->tx_frame_len) {
/* We don't implement explicit CRC, so just chop it off. */
if ((s->tctl & SE_TCTL_CRC) == 0)
--
1.9.1
next prev parent reply other threads:[~2014-08-06 20:41 UTC|newest]
Thread overview: 125+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-06 20:38 [Qemu-devel] [000/108] Patch Round-up for stable 2.0.1, freeze on 2014-08-12 Michael Roth
2014-08-06 20:38 ` Michael Roth [this message]
2014-08-06 20:38 ` [Qemu-devel] [PATCH 002/108] hw/net/stellaris_enet: Correct handling of packet padding Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 003/108] vmstate: reduce code duplication Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 004/108] vmstate: add VMS_MUST_EXIST Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 005/108] vmstate: add VMSTATE_VALIDATE Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 006/108] virtio-net: fix buffer overflow on invalid state load Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 007/108] virtio-net: out-of-bounds buffer write " Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 008/108] virtio-net: out-of-bounds buffer write on load Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 009/108] ahci: fix buffer overrun on invalid state load Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 010/108] hpet: " Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 011/108] hw/pci/pcie_aer.c: fix buffer overruns " Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 012/108] pl022: fix buffer overun " Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 013/108] vmstate: fix buffer overflow in target-arm/machine.c Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 014/108] virtio: avoid buffer overrun on incoming migration Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 015/108] virtio: validate num_sg when mapping Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 016/108] openpic: avoid buffer overrun on incoming migration Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 017/108] pxa2xx: " Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 018/108] ssi-sd: fix buffer overrun on invalid state load Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 019/108] ssd0323: fix buffer overun " Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 020/108] tsc210x: fix buffer overrun " Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 021/108] zaurus: " Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 022/108] usb: sanity check setup_index+setup_len in post_load Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 023/108] virtio-scsi: fix buffer overrun on invalid state load Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 024/108] target-arm: A64: fix unallocated test of scalar SQXTUN Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 025/108] megasas: Implement LD_LIST_QUERY Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 026/108] arm: translate.c: Fix smlald Instruction Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 027/108] block: Prevent coroutine stack overflow when recursing in bdrv_open_backing_file Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 028/108] s390x: empty function stubs in preparation for __KVM_HAVE_GUEST_DEBUG Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 029/108] po/Makefile: fix $SRC_PATH reference Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 030/108] acpi: fix tables for no-hpet configuration Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 031/108] stellaris_enet: block migration Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 032/108] s390x/kvm: rework KVM synchronize to tracing for some ONEREGS Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 033/108] target-i386: fix set of registers zeroed on reset Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 034/108] qdev: Fix crash by validating the object type Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 035/108] target-arm: A64: Handle blr lr Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 036/108] target-arm: Make vbar_write 64bit friendly on 32bit hosts Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 037/108] linux-user/elfload.c: Fix incorrect ARM HWCAP bits Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 038/108] linux-user/elfload.c: Update " Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 039/108] linux-user/elfload.c: Fix A64 code which was incorrectly acting like A32 Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 040/108] spapr_pci: Fix number of returned vectors in ibm, change-msi Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 041/108] configure: remove bashism Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 042/108] Revert "qapi: Clean up superfluous null check in qapi_dealloc_type_str()" Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 043/108] pci-assign: limit # of msix vectors Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 044/108] virtio: allow mapping up to max queue size Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 045/108] qcow1: Make padding in the header explicit Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 046/108] qcow1: Check maximum cluster size Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 047/108] qcow1: Validate L2 table size (CVE-2014-0222) Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 048/108] qcow1: Validate image size (CVE-2014-0223) Michael Roth
2014-08-06 20:38 ` [Qemu-devel] [PATCH 049/108] qcow1: Stricter backing file length check Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 050/108] virtio-scsi: Plug memory leak on virtio_scsi_push_event() error path Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 051/108] target-xtensa: fix cross-page jumps/calls at the end of TB Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 052/108] cputlb: Fix regression with TCG interpreter (bug 1310324) Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 053/108] input (curses): mask keycodes to remove modifier bits Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 054/108] qemu-img: Plug memory leak in convert command Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 055/108] block/sheepdog: Plug memory leak in sd_snapshot_create() Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 056/108] block/vvfat: Plug memory leak in read_directory() Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 057/108] block/vvfat: Plug memory leak in check_directory_consistency() Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 058/108] block/qapi: Plug memory leak in dump_qobject() case QTYPE_QERROR Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 059/108] blockdev: Plug memory leak in drive_init() Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 060/108] blockdev: Plug memory leak in blockdev_init() Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 061/108] qemu-io: Plug memory leak in open command Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 062/108] block: Plug memory leak on brv_open_image() error path Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 063/108] qcow2: Plug memory leak on qcow2_invalidate_cache() error paths Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 064/108] linux-user: Don't overrun guest buffer in sched_getaffinity Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 065/108] tcg-i386: Fix win64 qemu store Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 066/108] target-arm: Fix errors in writes to generic timer control registers Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 067/108] s390x/css: handle emw correctly for tsch Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 068/108] aio: fix qemu_bh_schedule() bh->ctx race condition Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 069/108] qga: Fix handle fd leak in acquire_privilege() Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 070/108] migration: remove duplicate code Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 071/108] arch_init: Be sure of only one exit entry with DPRINTF() for ram_load() Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 072/108] migration: catch unknown flags in ram_load Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 073/108] rdma: bug fixes Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 074/108] hw: Consistently name Error ** objects errp, and not err Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 075/108] qdev: reorganize error reporting in bus_set_realized Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 076/108] qdev: recursively unrealize devices when unrealizing bus Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 077/108] scsi-disk: fix bug in scsi_block_new_request() introduced by commit 137745c Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 078/108] vhost: fix resource leak in error handling Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 079/108] virtio-scsi: define dummy handle_output for vhost-scsi vqs Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 080/108] usb: Fix usb-bt-dongle initialization Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 081/108] KVM: Fix GSI number space limit Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 082/108] q35: Use PC_Q35_COMPAT_1_4 on pc-q35-1.4 compat_props Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 083/108] coroutine-win32.c: Add noinline attribute to work around gcc bug Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 084/108] hw/xtensa/xtfpga: fix FLASH mapping to boot region for KC705 Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 085/108] target-i386: Make TCG feature filtering more readable Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 086/108] target-i386: Filter FEAT_7_0_EBX TCG features too Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 087/108] virtio-net: byteswap virtio-net header Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 088/108] virtio-serial: don't migrate the config space Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 089/108] nbd: Don't export a block device with no medium Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 090/108] nbd: Don't validate from and len in NBD_CMD_DISC Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 091/108] nbd: Close socket on negotiation failure Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 092/108] nbd: Shutdown socket before closing Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 093/108] SMBIOS: Rename symbols to better reflect future use Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 094/108] pc: make isapc and pc-0.10 to pc-0.13 have 1.7.0 memory layout Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 095/108] sdhci: Fix misuse of qemu_free_irqs() Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 096/108] hw: Fix qemu_allocate_irqs() leaks Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 097/108] virtio: out-of-bounds buffer write on invalid state load Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 098/108] virtio: validate config_len on load Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 099/108] Allow mismatched virtio config-len Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 100/108] pci: assign devfn to pci_dev before calling pci_device_iommu_address_space() Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 101/108] mc146818rtc: register the clock reset notifier on the right clock Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 102/108] disas/libvixl: prepend the include path of libvixl header files Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 103/108] s390x/kvm: synchronize guest floating point registers Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 104/108] cadence_uart: check for serial backend before using it Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 105/108] kvm-all: Use 'tmpcpu' instead of 'cpu' in sub-looping to avoid 'cpu' be NULL Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 106/108] vmstate_xhci_event: fix unterminated field list Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 107/108] hw/misc/imx_ccm.c: Add missing VMState list terminator Michael Roth
2014-08-06 20:39 ` [Qemu-devel] [PATCH 108/108] hw/arm/boot: Set PC correctly when loading AArch64 ELF files Michael Roth
2014-08-06 21:49 ` [Qemu-devel] [000/108] Patch Round-up for stable 2.0.1, freeze on 2014-08-12 Eric Blake
2014-08-07 9:19 ` Michael Roth
2014-08-07 15:50 ` Eric Blake
2014-08-07 16:04 ` Michael Roth
2014-08-07 22:02 ` Eric Blake
2014-08-07 20:21 ` Eric Blake
2014-08-07 20:23 ` Eric Blake
2014-08-07 20:55 ` Eric Blake
2014-08-07 21:10 ` Peter Maydell
2014-08-07 21:20 ` Eric Blake
2014-08-15 18:43 ` Eric Blake
2014-08-15 21:01 ` Michael Roth
2014-08-16 1:08 ` Eric Blake
2014-08-16 11:09 ` Peter Maydell
2014-08-07 21:23 ` Eric Blake
2014-08-07 23:07 ` Michael Roth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1407357598-21541-2-git-send-email-mdroth@linux.vnet.ibm.com \
--to=mdroth@linux.vnet.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).