[Qemu-devel] eepro100 issues

[Qemu-devel] eepro100 issues

[Juergen Lock]

Hi again!

 I also played with the new eepro100 nic and found these things:

1. i82557b seem to work with
	http://debian.tu-bs.de/project/sidux/release/SIDUX-2007-01-200702210759-CHAOS.ISO
(see
	http://www.sidux.com/Article116.html
, it is based on debian sid), but

2. i82551 and i82559er with the same livecd sooner or later will cause
qemu to crash like this with no backtrace available:

% gdb work/qemu-snapshot-2007-04-05_05/i386-softmmu/qemu qemu.core
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...
Core was generated by `qemu'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libm.so.4...done.
Loaded symbols for /lib/libm.so.4
Reading symbols from /lib/libz.so.3...done.
Loaded symbols for /lib/libz.so.3
Reading symbols from /usr/local/lib/libSDL.so.11...done.
Loaded symbols for /usr/local/lib/libSDL.so.11
Reading symbols from /lib/libutil.so.5...done.
Loaded symbols for /lib/libutil.so.5
Reading symbols from /usr/lib/libpthread.so.2...done.
Loaded symbols for /usr/lib/libpthread.so.2
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /usr/local/lib/libiconv.so.3...done.
Loaded symbols for /usr/local/lib/libiconv.so.3
Reading symbols from /usr/X11R6/lib/libX11.so.6...done.
Loaded symbols for /usr/X11R6/lib/libX11.so.6
Reading symbols from /usr/X11R6/lib/libXext.so.6...done.
Loaded symbols for /usr/X11R6/lib/libXext.so.6
Reading symbols from /usr/X11R6/lib/libXrandr.so.2...done.
Loaded symbols for /usr/X11R6/lib/libXrandr.so.2
Reading symbols from /usr/X11R6/lib/libXrender.so.1...done.
Loaded symbols for /usr/X11R6/lib/libXrender.so.1
Reading symbols from /usr/local/lib/libvga.so.1...done.
Loaded symbols for /usr/local/lib/libvga.so.1
Reading symbols from /usr/lib/libvgl.so.4...done.
Loaded symbols for /usr/lib/libvgl.so.4
Reading symbols from /usr/local/lib/libaa.so.1...done.
Loaded symbols for /usr/local/lib/libaa.so.1
Reading symbols from /usr/lib/libusbhid.so.2...done.
Loaded symbols for /usr/lib/libusbhid.so.2
Reading symbols from /lib/libncurses.so.6...done.
Loaded symbols for /lib/libncurses.so.6
Reading symbols from /usr/X11R6/lib/X11/locale/lib/common/xlcDef.so.2...done.
Loaded symbols for /usr/X11R6/lib/X11/locale/lib/common/xlcDef.so.2
Reading symbols from /usr/X11R6/lib/X11/locale/lib/common/ximcp.so.2...done.
Loaded symbols for /usr/X11R6/lib/X11/locale/lib/common/ximcp.so.2
Reading symbols from /usr/X11R6/lib/libXcursor.so.1...done.
Loaded symbols for /usr/X11R6/lib/libXcursor.so.1
Reading symbols from /usr/X11R6/lib/libXfixes.so.3...done.
Loaded symbols for /usr/X11R6/lib/libXfixes.so.3
Reading symbols from /libexec/ld-elf.so.1...done.
Loaded symbols for /libexec/ld-elf.so.1
#0  0x00000000 in ?? ()
[New LWP 100186]
(gdb) q

(this first occured when playing with -smb in runlevel 2 which can be
mounted like this:
	# mount.smbfs //10.0.2.4/qemu /mnt
and then dd'ing a bigger file to /dev/null, I was trying to test network
throughput...  but once it even crashed like that just while typing
the mount command.)

3. And with
	http://ftp.us.freesbie.org/pub/FreeSBIE/2.0.1-RELEASE/FreeSBIE-2.0.1-RELEASE.iso
(see
	http://www.freesbie.org/
, based on FreeBSD 6.2) i82557b and i82559er worked, but

4. i82551 attached but would not receive packets.

 Hope this is helpful to some :)

	Juergen

Re: [Qemu-devel] [Patch] eepro100 issues

[Stefan Weil]

[-- Attachment #1: Type: text/plain, Size: 873 bytes --]

The crashs are caused by transmit descriptors with packet sizes
larger than the buffer which is defined in the driver. Using netperf
or rsync will always result in a buffer overflow and crash QEMU
with the current eepro100 driver.

Up to now I could not find the reason for these large packet sizes.

My patch now just ignores data which does not fit in a normal frame.
Netperf and rsync no longer crash when the patch is applied.

Stefan



Juergen Lock schrieb:
> Hi again!
>
> I also played with the new eepro100 nic and found these things:
>
> 1. i82557b seem to work with
> http://debian.tu-bs.de/project/sidux/release/SIDUX-2007-01-200702210759-CHAOS.ISO
> (see
> http://www.sidux.com/Article116.html
> , it is based on debian sid), but
>
> 2. i82551 and i82559er with the same livecd sooner or later will cause
> qemu to crash like this with no backtrace available:

[-- Attachment #2: eepro100.patch --]
[-- Type: text/x-diff, Size: 2711 bytes --]

--- ../branches/head/hw/eepro100.c	2007-04-07 22:53:04.000000000 +0200
+++ hw/eepro100.c	2007-04-08 22:43:13.000000000 +0200
@@ -729,6 +729,7 @@
                 logout
                     ("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n",
                      tx_buffer_address, tx_buffer_size);
+                assert(size + tx_buffer_size <= sizeof(buf));
                 cpu_physical_memory_read(tx_buffer_address, &buf[size],
                                          tx_buffer_size);
                 size += tx_buffer_size;
@@ -749,9 +750,13 @@
                         logout
                             ("TBD (extended mode): buffer address 0x%08x, size 0x%04x\n",
                              tx_buffer_address, tx_buffer_size);
-                        cpu_physical_memory_read(tx_buffer_address, &buf[size],
-                                                 tx_buffer_size);
-                        size += tx_buffer_size;
+                        if (size + tx_buffer_size > sizeof(buf)) {
+                            logout("bad extended TCB with size 0x%04x\n", tx_buffer_size);
+                        } else {
+                            cpu_physical_memory_read(tx_buffer_address, &buf[size],
+                                                     tx_buffer_size);
+                            size += tx_buffer_size;
+                        }
                         if (tx_buffer_el & 1) {
                             break;
                         }
@@ -766,14 +771,20 @@
                     logout
                         ("TBD (flexible mode): buffer address 0x%08x, size 0x%04x\n",
                          tx_buffer_address, tx_buffer_size);
-                    cpu_physical_memory_read(tx_buffer_address, &buf[size],
-                                             tx_buffer_size);
-                    size += tx_buffer_size;
+                    if (size + tx_buffer_size > sizeof(buf)) {
+                        logout("bad flexible TCB with size 0x%04x\n", tx_buffer_size);
+                    } else {
+                        cpu_physical_memory_read(tx_buffer_address, &buf[size],
+                                                 tx_buffer_size);
+                        size += tx_buffer_size;
+                    }
                     if (tx_buffer_el & 1) {
                         break;
                     }
                 }
             }
+            logout("%p sending frame, len=%d,%s\n", s, size, nic_dump(buf, size));
+            assert(size <= sizeof(buf));
             qemu_send_packet(s->vc, buf, size);
             s->statistics.tx_good_frames++;
             /* Transmit with bad status would raise an CX/TNO interrupt.

Re: [Qemu-devel] [Patch] eepro100 issues

[Juergen Lock]

In article <4619593E.60201@mail.berlios.de> you write:
>-=-=-=-=-=-
>
>The crashs are caused by transmit descriptors with packet sizes
>larger than the buffer which is defined in the driver. Using netperf
>or rsync will always result in a buffer overflow and crash QEMU
>with the current eepro100 driver.
>
>Up to now I could not find the reason for these large packet sizes.
>
>My patch now just ignores data which does not fit in a normal frame.
>Netperf and rsync no longer crash when the patch is applied.

Thanx, that seems to fix my crashes.

	Juergen