[Qemu-devel] [PATCH 0/2] [PULL] slirp: Small fixes

[Qemu-devel] [PATCH 0/2] [PULL] slirp: Small fixes

[Jan Kiszka]

The following changes since commit 46f3069cba94aab44b3b4f87bc270759b4a700fa:

  PPC: use memory API to construct the PCI hole (2011-09-27 19:16:46 +0000)

are available in the git repository at:
  git://git.kiszka.org/qemu.git queues/slirp

CC: Fabien Chouteau <chouteau@adacore.com>
CC: Thomas Huth <thuth@linux.vnet.ibm.com>

Jan Kiszka (1):
  slirp: Fix use after release on tcp_input

Thomas Huth (1):
  slirp: Fix packet expiration

 slirp/mbuf.h      |    5 +++--
 slirp/tcp_input.c |   22 ++++++++++------------
 2 files changed, 13 insertions(+), 14 deletions(-)

-- 
1.7.3.4

[Qemu-devel] [PATCH 1/2] slirp: Fix use after release on tcp_input

[Jan Kiszka]

ti points into the m buffer. But the latter may already be released
right after the dodata: label. Move the test before the potential
release.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 slirp/tcp_input.c |   22 ++++++++++------------
 1 files changed, 10 insertions(+), 12 deletions(-)

diff --git a/slirp/tcp_input.c b/slirp/tcp_input.c
index 2f1a196..942aaf4 100644
--- a/slirp/tcp_input.c
+++ b/slirp/tcp_input.c
@@ -1157,6 +1157,16 @@ step6:
 dodata:
 
 	/*
+	 * If this is a small packet, then ACK now - with Nagel
+	 *      congestion avoidance sender won't send more until
+	 *      he gets an ACK.
+	 */
+	if (ti->ti_len && (unsigned)ti->ti_len <= 5 &&
+	    ((struct tcpiphdr_2 *)ti)->first_char == (char)27) {
+		tp->t_flags |= TF_ACKNOW;
+	}
+
+	/*
 	 * Process the segment text, merging it into the TCP sequencing queue,
 	 * and arranging for acknowledgment of receipt if necessary.
 	 * This process logically involves adjusting tp->rcv_wnd as data
@@ -1235,18 +1245,6 @@ dodata:
 	}
 
 	/*
-	 * If this is a small packet, then ACK now - with Nagel
-	 *      congestion avoidance sender won't send more until
-	 *      he gets an ACK.
-	 *
-	 * See above.
-	 */
-	if (ti->ti_len && (unsigned)ti->ti_len <= 5 &&
-	    ((struct tcpiphdr_2 *)ti)->first_char == (char)27) {
-		tp->t_flags |= TF_ACKNOW;
-	}
-
-	/*
 	 * Return any desired output.
 	 */
 	if (needoutput || (tp->t_flags & TF_ACKNOW)) {
-- 
1.7.3.4

[Qemu-devel] [PATCH 2/2] slirp: Fix packet expiration

[Jan Kiszka]

From: Thomas Huth <thuth@linux.vnet.ibm.com>

The two new variables "arp_requested" and "expiration_date" in the mbuf
structure have been added after the variable-sized "m_dat_" array. The
variables have to be added before the m_dat_ array instead.
Without this patch, the expiration_date gets clobbered by code that
accesses the m_dat_ array.
I experienced this problem with the code in slirp/tftp.c: The
tftp_send_data() function created a new packet with the m_get()
function (which fills-in a default expiration_date value). Then the
TFTP code cleared the data section of the packet, which accidentially
also cleared the expiration_date. This zeroed expiration_date then
finally causes the packet to be discarded during if_start(), so that
TFTP packets were not transmitted anymore.

[Jan: added comment as suggested by Fabien ]

CC: Fabien Chouteau <chouteau@adacore.com>
Signed-off-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 slirp/mbuf.h |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/slirp/mbuf.h b/slirp/mbuf.h
index 55170e5..0708840 100644
--- a/slirp/mbuf.h
+++ b/slirp/mbuf.h
@@ -82,12 +82,13 @@ struct m_hdr {
 struct mbuf {
 	struct	m_hdr m_hdr;
 	Slirp *slirp;
+	bool	arp_requested;
+	uint64_t expiration_date;
+	/* start of dynamic buffer area, must be last element */
 	union M_dat {
 		char	m_dat_[1]; /* ANSI don't like 0 sized arrays */
 		char	*m_ext_;
 	} M_dat;
-    bool     arp_requested;
-    uint64_t expiration_date;
 };
 
 #define m_next		m_hdr.mh_next
-- 
1.7.3.4

Re: [Qemu-devel] [PATCH 0/2] [PULL] slirp: Small fixes

[Anthony Liguori]

On 09/28/2011 06:12 AM, Jan Kiszka wrote:
> The following changes since commit 46f3069cba94aab44b3b4f87bc270759b4a700fa:
>
>    PPC: use memory API to construct the PCI hole (2011-09-27 19:16:46 +0000)
>
> are available in the git repository at:
>    git://git.kiszka.org/qemu.git queues/slirp

Pulled.  Thanks.

Regards,

Anthony Liguori

>
> CC: Fabien Chouteau<chouteau@adacore.com>
> CC: Thomas Huth<thuth@linux.vnet.ibm.com>
>
> Jan Kiszka (1):
>    slirp: Fix use after release on tcp_input
>
> Thomas Huth (1):
>    slirp: Fix packet expiration
>
>   slirp/mbuf.h      |    5 +++--
>   slirp/tcp_input.c |   22 ++++++++++------------
>   2 files changed, 13 insertions(+), 14 deletions(-)
>