From: "Philippe Mathieu-Daudé" <philmd@linaro.org>
To: qemu-devel@nongnu.org
Cc: "Chuhong Yuan" <hslester96@gmail.com>,
"Jason Wang" <jasowang@redhat.com>,
"Alexander Bulekov" <alxndr@bu.edu>,
qemu-arm@nongnu.org, "Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Peter Maydell" <peter.maydell@linaro.org>
Subject: [PATCH-for-9.0 v2 02/11] hw/net/lan9118: Fix overflow in MIL TX FIFO
Date: Tue, 9 Apr 2024 15:37:51 +0200 [thread overview]
Message-ID: <20240409133801.23503-3-philmd@linaro.org> (raw)
In-Reply-To: <20240409133801.23503-1-philmd@linaro.org>
When the MAC Interface Layer (MIL) transmit FIFO is full,
truncate the packet, and raise the Transmitter Error (TXE)
flag.
Broken since model introduction in commit 2a42499017
("LAN9118 emulation").
When using the reproducer from
https://gitlab.com/qemu-project/qemu/-/issues/2267 we get:
hw/net/lan9118.c:798:17: runtime error:
index 2048 out of bounds for type 'uint8_t[2048]' (aka 'unsigned char[2048]')
#0 0x563ec9a057b1 in tx_fifo_push hw/net/lan9118.c:798:43
#1 0x563ec99fbb28 in lan9118_writel hw/net/lan9118.c:1042:9
#2 0x563ec99f2de2 in lan9118_16bit_mode_write hw/net/lan9118.c:1205:9
#3 0x563ecbf78013 in memory_region_write_accessor system/memory.c:497:5
#4 0x563ecbf776f5 in access_with_adjusted_size system/memory.c:573:18
#5 0x563ecbf75643 in memory_region_dispatch_write system/memory.c:1521:16
#6 0x563ecc01bade in flatview_write_continue_step system/physmem.c:2713:18
#7 0x563ecc01b374 in flatview_write_continue system/physmem.c:2743:19
#8 0x563ecbff1c9b in flatview_write system/physmem.c:2774:12
#9 0x563ecbff1768 in address_space_write system/physmem.c:2894:18
...
[*] LAN9118 DS00002266B.pdf, Table 5.3.3 "INTERRUPT STATUS REGISTER"
Reported-by: Will Lester
Reported-by: Chuhong Yuan <hslester96@gmail.com>
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2267
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
hw/net/lan9118.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c
index 8214569a2c..91d81b410b 100644
--- a/hw/net/lan9118.c
+++ b/hw/net/lan9118.c
@@ -799,8 +799,22 @@ static void tx_fifo_push(lan9118_state *s, uint32_t val)
/* Documentation is somewhat unclear on the ordering of bytes
in FIFO words. Empirical results show it to be little-endian.
*/
- /* TODO: FIFO overflow checking. */
while (n--) {
+ if (s->txp->len == MIL_TXFIFO_SIZE) {
+ /*
+ * No more space in the FIFO. The datasheet is not
+ * precise about this case. We choose what is easiest
+ * to model: the packet is truncated, and TXE is raised.
+ *
+ * Note, it could be a fragmented packet, but we currently
+ * do not handle that (see earlier TX_B case).
+ */
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "MIL TX FIFO overrun, discarding %u byte%s\n",
+ n, n > 1 ? "s" : "");
+ s->int_sts |= TXE_INT;
+ break;
+ }
s->txp->data[s->txp->len] = val & 0xff;
s->txp->len++;
val >>= 8;
--
2.41.0
next prev parent reply other threads:[~2024-04-09 13:39 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-09 13:37 [PATCH-for-9.0 v2 00/11] hw/net/lan9118: Fix overflow in TX FIFO Philippe Mathieu-Daudé
2024-04-09 13:37 ` [PATCH-for-9.0 v2 01/11] hw/net/lan9118: Replace magic '2048' value by MIL_TXFIFO_SIZE definition Philippe Mathieu-Daudé
2024-04-09 13:40 ` Peter Maydell
2024-04-09 13:37 ` Philippe Mathieu-Daudé [this message]
2024-04-09 13:41 ` [PATCH-for-9.0 v2 02/11] hw/net/lan9118: Fix overflow in MIL TX FIFO Peter Maydell
2024-04-09 13:37 ` [PATCH-for-9.1 v2 03/11] hw/net/lan9118: Remove duplicated assignment Philippe Mathieu-Daudé
2024-04-09 13:44 ` Peter Maydell
2024-04-09 13:37 ` [PATCH-for-9.1 v2 04/11] hw/net/lan9118: Replace magic '5' value by TX_FIF_SZ_RESET definition Philippe Mathieu-Daudé
2024-04-09 13:45 ` Peter Maydell
2024-04-09 13:37 ` [PATCH-for-9.1 v2 05/11] hw/net/lan9118: Add definitions for FIFO allocated sizes Philippe Mathieu-Daudé
2024-04-09 13:52 ` Peter Maydell
2024-04-09 13:37 ` [PATCH-for-9.1 v2 06/11] hw/net/lan9118: Use TX_DATA_FIFO_BYTES definition Philippe Mathieu-Daudé
2024-04-09 13:37 ` [PATCH-for-9.1 v2 07/11] hw/net/lan9118: Rename tx_fifo_size -> tx_fifo_bytes Philippe Mathieu-Daudé
2024-04-09 13:55 ` Peter Maydell
2024-04-09 13:37 ` [PATCH-for-9.1 v2 08/11] hw/net/lan9118: Use RX_STATUS_FIFO_BYTES definition Philippe Mathieu-Daudé
2024-04-09 13:59 ` Peter Maydell
2024-04-09 13:37 ` [PATCH-for-9.1 v2 09/11] hw/net/lan9118: Rename rx_status_fifo_size -> rx_status_fifo_wordcount Philippe Mathieu-Daudé
2024-04-09 14:03 ` Peter Maydell
2024-04-09 13:37 ` [PATCH-for-9.1 v2 10/11] hw/net/lan9118: Use RX_DATA_FIFO_BYTES definition Philippe Mathieu-Daudé
2024-04-09 14:05 ` Peter Maydell
2024-04-09 13:38 ` [PATCH-for-9.1 v2 11/11] hw/net/lan9118: Rename rx_fifo_size -> rx_fifo_wordcount Philippe Mathieu-Daudé
2024-04-09 14:34 ` [PATCH-for-9.0 v2 00/11] hw/net/lan9118: Fix overflow in TX FIFO Philippe Mathieu-Daudé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240409133801.23503-3-philmd@linaro.org \
--to=philmd@linaro.org \
--cc=alxndr@bu.edu \
--cc=hslester96@gmail.com \
--cc=jasowang@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).