Re: [RFC PATCH 0/3] hw/net/tulip: Fix LP#1874539

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Helge Deller <deller@gmx.de>
To: "Philippe Mathieu-Daudé" <f4bug@amsat.org>
Cc: Jason Wang <jasowang@redhat.com>, Helge Deller <deller@gmx.de>,
	Sven Schnelle <svens@stackframe.org>,
	qemu-devel@nongnu.org
Subject: Re: [RFC PATCH 0/3] hw/net/tulip: Fix LP#1874539
Date: Fri, 24 Apr 2020 17:27:22 +0200	[thread overview]
Message-ID: <20200424152722.GA14573@ls3530.fritz.box> (raw)
In-Reply-To: <20200423231644.15786-1-f4bug@amsat.org>

* Philippe Mathieu-Daudé <f4bug@amsat.org>:
> Attempt to fix the launchpad bug filled by Helge:
>
>   In a qemu-system-hppa system, qemu release v5.0.0-rc,
>   the tulip nic driver is broken.  The tulip nic is detected,
>   even getting DHCP info does work.  But when trying to
>   download bigger files via network, the tulip driver gets
>   stuck.
>
> Philippe Mathieu-Daudé (3):
>   hw/net/tulip: Fix 'Descriptor Error' definition
>   hw/net/tulip: Log descriptor overflows
>   hw/net/tulip: Set descriptor error bit when lenght is incorrect
>
>  hw/net/tulip.h |  2 +-
>  hw/net/tulip.c | 32 ++++++++++++++++++++++++++++----
>  2 files changed, 29 insertions(+), 5 deletions(-)

Philippe, thanks for your efforts. Sadly your patch did not fixed the
bug itself, but it had some nice cleanups which should be included at
some point.

Regarding the tulip hang reported by me, the patch below does fix the
issue.

[PATCH] Fix tulip rx hang
Cc: Prasad J Pandit <pjp@fedoraproject.org>
Fixes: 8ffb7265af ("check frame size and r/w data length")
Buglink: https://bugs.launchpad.net/bugs/1874539
Signed-off-by: Helge Deller <deller@gmx.de>

Commit 8ffb7265af ("check frame size and r/w data length") introduced
checks to prevent accesses outside of the rx/tx buffers. But the new
checks were plain wrong. rx_frame_len does count backwards, and the
surrounding code ensures that rx_frame_len will not be bigger than
rx_frame_size. Remove those checks again.

diff --git a/hw/net/tulip.c b/hw/net/tulip.c
index 1295f51d07..59d21defcc 100644
--- a/hw/net/tulip.c
+++ b/hw/net/tulip.c
@@ -171,9 +171,6 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc)
             len = s->rx_frame_len;
         }

-        if (s->rx_frame_len + len > sizeof(s->rx_frame)) {
-            return;
-        }
         pci_dma_write(&s->dev, desc->buf_addr1, s->rx_frame +
             (s->rx_frame_size - s->rx_frame_len), len);
         s->rx_frame_len -= len;
@@ -186,9 +183,6 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc)
             len = s->rx_frame_len;
         }

-        if (s->rx_frame_len + len > sizeof(s->rx_frame)) {
-            return;
-        }
         pci_dma_write(&s->dev, desc->buf_addr2, s->rx_frame +
             (s->rx_frame_size - s->rx_frame_len), len);
         s->rx_frame_len -= len;

next prev parent reply	other threads:[~2020-04-24 15:33 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-23 23:16 [RFC PATCH 0/3] hw/net/tulip: Fix LP#1874539 Philippe Mathieu-Daudé
2020-04-23 23:16 ` [RFC PATCH 1/3] hw/net/tulip: Fix 'Descriptor Error' definition Philippe Mathieu-Daudé
2020-04-23 23:16 ` [RFC PATCH 2/3] hw/net/tulip: Log descriptor overflows Philippe Mathieu-Daudé
2020-04-23 23:16 ` [RFC PATCH 3/3] hw/net/tulip: Set descriptor error bit when lenght is incorrect Philippe Mathieu-Daudé
2020-04-24  2:16   ` Jason Wang
2020-04-24 13:42     ` Helge Deller
2020-04-24 14:26   ` Eric Blake
2020-04-24 15:27 ` Helge Deller [this message]
2020-04-26  2:49   ` [RFC PATCH 0/3] hw/net/tulip: Fix LP#1874539 Jason Wang
2020-04-26  7:57     ` Peter Maydell
2020-04-27  3:32       ` Jason Wang
2020-05-12  7:13         ` Philippe Mathieu-Daudé
2020-05-13  2:18           ` Jason Wang

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:1295f51d0 dfblob:59d21defc )
 OR (
bs:"Re: [RFC PATCH 0/3] hw/net/tulip: Fix LP#1874539" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200424152722.GA14573@ls3530.fritz.box \
    --to=deller@gmx.de \
    --cc=f4bug@amsat.org \
    --cc=jasowang@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=svens@stackframe.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).