From: Jason Wang <jasowang@redhat.com>
To: qemu-devel@nongnu.org, peter.maydell@linaro.org
Cc: "Stefan Hajnoczi" <stefanha@redhat.com>,
qemu-stable@nongnu.org, "Alexander Bulekov" <alxndr@bu.edu>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Jason Wang" <jasowang@redhat.com>
Subject: [PULL 50/50] rtl8139: fix large_send_mss divide-by-zero
Date: Tue, 23 May 2023 15:32:38 +0800 [thread overview]
Message-ID: <20230523073238.54236-51-jasowang@redhat.com> (raw)
In-Reply-To: <20230523073238.54236-1-jasowang@redhat.com>
From: Stefan Hajnoczi <stefanha@redhat.com>
If the driver sets large_send_mss to 0 then a divide-by-zero occurs.
Even if the division wasn't a problem, the for loop that emits MSS-sized
packets would never terminate.
Solve these issues by skipping offloading when large_send_mss=0.
This issue was found by OSS-Fuzz as part of Alexander Bulekov's device
fuzzing work. The reproducer is:
$ cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
512M,slots=1,maxmem=0xffff000000000000 -machine q35 -nodefaults -device \
rtl8139,netdev=net0 -netdev user,id=net0 -device \
pc-dimm,id=nv1,memdev=mem1,addr=0xb800a64602800000 -object \
memory-backend-ram,id=mem1,size=2M -qtest stdio
outl 0xcf8 0x80000814
outl 0xcfc 0xe0000000
outl 0xcf8 0x80000804
outw 0xcfc 0x06
write 0xe0000037 0x1 0x04
write 0xe00000e0 0x2 0x01
write 0x1 0x1 0x04
write 0x3 0x1 0x98
write 0xa 0x1 0x8c
write 0xb 0x1 0x02
write 0xc 0x1 0x46
write 0xd 0x1 0xa6
write 0xf 0x1 0xb8
write 0xb800a646028c000c 0x1 0x08
write 0xb800a646028c000e 0x1 0x47
write 0xb800a646028c0010 0x1 0x02
write 0xb800a646028c0017 0x1 0x06
write 0xb800a646028c0036 0x1 0x80
write 0xe00000d9 0x1 0x40
EOF
Buglink: https://gitlab.com/qemu-project/qemu/-/issues/1582
Closes: https://gitlab.com/qemu-project/qemu/-/issues/1582
Cc: qemu-stable@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>
Fixes: 6d71357a3b65 ("rtl8139: honor large send MSS value")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/rtl8139.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
index 5a5aaf8..5f1a4d3 100644
--- a/hw/net/rtl8139.c
+++ b/hw/net/rtl8139.c
@@ -2154,6 +2154,9 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
int large_send_mss = (txdw0 >> CP_TC_LGSEN_MSS_SHIFT) &
CP_TC_LGSEN_MSS_MASK;
+ if (large_send_mss == 0) {
+ goto skip_offload;
+ }
DPRINTF("+++ C+ mode offloaded task TSO IP data %d "
"frame data %d specified MSS=%d\n",
--
2.7.4
next prev parent reply other threads:[~2023-05-23 7:38 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-23 7:31 [PULL 00/50] Net patches Jason Wang
2023-05-23 7:31 ` [PULL 01/50] e1000e: Fix tx/rx counters Jason Wang
2023-05-23 7:31 ` [PULL 02/50] hw/net/net_tx_pkt: Decouple implementation from PCI Jason Wang
2023-05-23 7:31 ` [PULL 03/50] hw/net/net_tx_pkt: Decouple interface " Jason Wang
2023-05-23 7:31 ` [PULL 04/50] e1000x: Fix BPRC and MPRC Jason Wang
2023-05-23 7:31 ` [PULL 05/50] igb: Fix Rx packet type encoding Jason Wang
2023-05-23 7:31 ` [PULL 06/50] igb: Do not require CTRL.VME for tx VLAN tagging Jason Wang
2023-05-23 7:31 ` [PULL 07/50] igb: Clear IMS bits when committing ICR access Jason Wang
2023-05-23 7:31 ` [PULL 08/50] net/net_rx_pkt: Use iovec for net_rx_pkt_set_protocols() Jason Wang
2023-05-23 7:31 ` [PULL 09/50] e1000e: Always copy ethernet header Jason Wang
2023-05-23 7:31 ` [PULL 10/50] igb: " Jason Wang
2023-05-23 7:31 ` [PULL 11/50] Fix references to igb Avocado test Jason Wang
2023-05-23 7:32 ` [PULL 12/50] tests/avocado: Remove unused imports Jason Wang
2023-05-23 7:32 ` [PULL 13/50] tests/avocado: Remove test_igb_nomsi_kvm Jason Wang
2023-05-23 7:32 ` [PULL 14/50] hw/net/net_tx_pkt: Remove net_rx_pkt_get_l4_info Jason Wang
2023-05-23 7:32 ` [PULL 15/50] net/eth: Rename eth_setup_vlan_headers_ex Jason Wang
2023-05-23 7:32 ` [PULL 16/50] e1000x: Share more Rx filtering logic Jason Wang
2023-05-23 7:32 ` [PULL 17/50] e1000x: Take CRC into consideration for size check Jason Wang
2023-05-23 7:32 ` [PULL 18/50] e1000x: Rename TcpIpv6 into TcpIpv6Ex Jason Wang
2023-05-23 7:32 ` [PULL 19/50] e1000e: Always log status after building rx metadata Jason Wang
2023-05-23 7:32 ` [PULL 20/50] igb: " Jason Wang
2023-05-23 7:32 ` [PULL 21/50] igb: Remove goto Jason Wang
2023-05-23 7:32 ` [PULL 22/50] igb: Read DCMD.VLE of the first Tx descriptor Jason Wang
2023-05-23 7:32 ` [PULL 23/50] e1000e: Reset packet state after emptying Tx queue Jason Wang
2023-05-23 7:32 ` [PULL 24/50] vmxnet3: " Jason Wang
2023-05-23 7:32 ` [PULL 25/50] igb: Add more definitions for Tx descriptor Jason Wang
2023-05-23 7:32 ` [PULL 26/50] igb: Share common VF constants Jason Wang
2023-05-23 7:32 ` [PULL 27/50] igb: Fix igb_mac_reg_init coding style alignment Jason Wang
2023-05-23 7:32 ` [PULL 28/50] igb: Clear EICR bits for delayed MSI-X interrupts Jason Wang
2023-05-23 7:32 ` [PULL 29/50] e1000e: Rename a variable in e1000e_receive_internal() Jason Wang
2023-05-23 7:32 ` [PULL 30/50] igb: Rename a variable in igb_receive_internal() Jason Wang
2023-05-23 7:32 ` [PULL 31/50] net/eth: Use void pointers Jason Wang
2023-05-23 7:32 ` [PULL 32/50] net/eth: Always add VLAN tag Jason Wang
2023-05-23 7:32 ` [PULL 33/50] hw/net/net_rx_pkt: Enforce alignment for eth_header Jason Wang
2023-05-23 7:32 ` [PULL 34/50] tests/qtest/libqos/igb: Set GPIE.Multiple_MSIX Jason Wang
2023-05-23 7:32 ` [PULL 35/50] igb: Implement MSI-X single vector mode Jason Wang
2023-05-23 7:32 ` [PULL 36/50] igb: Use UDP for RSS hash Jason Wang
2023-05-23 7:32 ` [PULL 37/50] igb: Implement Rx SCTP CSO Jason Wang
2023-05-23 7:32 ` [PULL 38/50] igb: Implement Tx " Jason Wang
2023-05-23 7:32 ` [PULL 39/50] igb: Strip the second VLAN tag for extended VLAN Jason Wang
2023-05-23 7:32 ` [PULL 40/50] igb: Filter with " Jason Wang
2023-05-23 7:32 ` [PULL 41/50] igb: Implement igb-specific oversize check Jason Wang
2023-05-23 7:32 ` [PULL 42/50] igb: Implement Rx PTP2 timestamp Jason Wang
2023-05-23 7:32 ` [PULL 43/50] igb: Implement Tx timestamp Jason Wang
2023-05-23 7:32 ` [PULL 44/50] e1000e: Notify only new interrupts Jason Wang
2023-05-23 7:32 ` [PULL 45/50] igb: " Jason Wang
2023-05-23 7:32 ` [PULL 46/50] igb: Clear-on-read ICR when ICR.INTA is set Jason Wang
2023-05-23 7:32 ` [PULL 47/50] vmxnet3: Do not depend on PC Jason Wang
2023-05-23 7:32 ` [PULL 48/50] MAINTAINERS: Add a reviewer for network packet abstractions Jason Wang
2023-05-23 7:32 ` [PULL 49/50] docs/system/devices/igb: Note igb is tested for DPDK Jason Wang
2023-05-23 7:32 ` Jason Wang [this message]
2023-05-23 17:56 ` [PULL 00/50] Net patches Richard Henderson
2023-05-23 19:53 ` Michael Tokarev
2023-05-24 4:06 ` Jason Wang
2023-05-24 4:21 ` Akihiko Odaki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230523073238.54236-51-jasowang@redhat.com \
--to=jasowang@redhat.com \
--cc=alxndr@bu.edu \
--cc=peter.maydell@linaro.org \
--cc=philmd@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).