From: Mauro Matteo Cascella <mcascell@redhat.com>
To: qemu-devel@nongnu.org
Cc: jasowang@redhat.com, dmitry.fleytman@gmail.com,
mcascell@redhat.com, ezrakiez@gmail.com
Subject: [PATCH 2/2] hw/net: check max_raw_frags in e1000e and vmxnet3 devices
Date: Mon, 27 Jul 2020 19:08:38 +0200 [thread overview]
Message-ID: <20200727170838.1101775-3-mcascell@redhat.com> (raw)
In-Reply-To: <20200727170838.1101775-1-mcascell@redhat.com>
This patch adds a check in both e1000e and vmxnet3 devices to skip the packet
if the current data fragment exceeds max_raw_frags, preventing
net_tx_pkt_add_raw_fragment() to be called with an invalid raw_frags.
Reported-by: Ziming Zhang <ezrakiez@gmail.com>
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
---
hw/net/e1000e_core.c | 3 ++-
hw/net/vmxnet3.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c
index bcd186cac5..c573a30d63 100644
--- a/hw/net/e1000e_core.c
+++ b/hw/net/e1000e_core.c
@@ -728,7 +728,8 @@ e1000e_process_tx_desc(E1000ECore *core,
addr = le64_to_cpu(dp->buffer_addr);
if (!tx->skip_cp) {
- if (!net_tx_pkt_add_raw_fragment(tx->tx_pkt, addr, split_size)) {
+ if (net_tx_pkt_exceed_max_fragments(tx->tx_pkt) ||
+ !net_tx_pkt_add_raw_fragment(tx->tx_pkt, addr, split_size)) {
tx->skip_cp = true;
}
}
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index 7a6ca4ec35..f482806037 100644
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@@ -650,7 +650,8 @@ static void vmxnet3_process_tx_queue(VMXNET3State *s, int qidx)
data_len = (txd.len > 0) ? txd.len : VMXNET3_MAX_TX_BUF_SIZE;
data_pa = txd.addr;
- if (!net_tx_pkt_add_raw_fragment(s->tx_pkt,
+ if (net_tx_pkt_exceed_max_fragments(s->tx_pkt) ||
+ !net_tx_pkt_add_raw_fragment(s->tx_pkt,
data_pa,
data_len)) {
s->skip_current_tx_pkt = true;
--
2.26.2
next prev parent reply other threads:[~2020-07-27 17:12 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-27 17:08 [PATCH 0/2] assertion failure in net_tx_pkt_add_raw_fragment() in hw/net/net_tx_pkt.c Mauro Matteo Cascella
2020-07-27 17:08 ` [PATCH 1/2] hw/net/net_tx_pkt: add function to check pkt->max_raw_frags Mauro Matteo Cascella
2020-07-28 4:06 ` Jason Wang
2020-07-28 16:26 ` Mauro Matteo Cascella
2020-07-30 5:27 ` Jason Wang
2020-07-30 17:05 ` Mauro Matteo Cascella
2020-07-31 3:33 ` Jason Wang
2020-07-27 17:08 ` Mauro Matteo Cascella [this message]
2020-07-27 17:29 ` [PATCH 0/2] assertion failure in net_tx_pkt_add_raw_fragment() in hw/net/net_tx_pkt.c Alexander Bulekov
2020-07-28 16:59 ` Mauro Matteo Cascella
2020-07-29 8:48 ` Dmitry Fleytman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200727170838.1101775-3-mcascell@redhat.com \
--to=mcascell@redhat.com \
--cc=dmitry.fleytman@gmail.com \
--cc=ezrakiez@gmail.com \
--cc=jasowang@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).