From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:57641) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZUlr1-0008B9-NB for qemu-devel@nongnu.org; Wed, 26 Aug 2015 21:19:48 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZUlqy-00032E-GI for qemu-devel@nongnu.org; Wed, 26 Aug 2015 21:19:47 -0400 Received: from mx1.redhat.com ([209.132.183.28]:58397) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZUlqy-00031u-AN for qemu-devel@nongnu.org; Wed, 26 Aug 2015 21:19:44 -0400 Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (Postfix) with ESMTPS id F3C67C18F6A7 for ; Thu, 27 Aug 2015 01:19:42 +0000 (UTC) Message-ID: <55DE65AB.1080509@redhat.com> Date: Wed, 26 Aug 2015 21:19:39 -0400 From: Vlad Yasevich MIME-Version: 1.0 References: <1440618669-9028-1-git-send-email-vyasevic@redhat.com> In-Reply-To: <1440618669-9028-1-git-send-email-vyasevic@redhat.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH v2 0/2] rtl8139: Fix buffer overflow in standard mode Reply-To: vyasevic@redhat.com List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: jasowang@redhat.com, stefanha@redhat.com On 08/26/2015 03:51 PM, Vladislav Yasevich wrote: > When rtl8139 card is running in standard mode, it is very easy > to overlflow and the receive buffer and get into a siutation > where all packets are dropped. Simply reproduction case is > to ping the guest from the host with 6500 byte packets. > > There are actually 2 problems here. > 1) When the rtl8129 buffer is overflow, the card emulation > returns the size of the packet back to queue transmission. > This signals successful reception even though the packet > has been dropped. The proper solution is to return 0, so > that the packet is re-queued and will be resubmitted later. > > 2) When packets are sized such that the fragments end up completely > filling the receive buffer without overflow, the device thinks > that the buffer is actually empty (instead of full). This causes > next packet to over-write the existing packets. With the above > ping reproducer, ever ICMP packet fills the buffer and thus keeps > overwriting the previous packet and never waking up the guest. > The solution here is track the number of unread bytes separately > so we would know if we have anything in buffer to read or not. > > V2: instead of tracking buffer_full condition, changed the code, as > suggested by Stefan Hajnoczi, to track the number of unread bytes > instead. We initialize it to 0 at the start, adjust it on every > receive from the network and read from the guest and can set > the number of unread of bytes to full buffer size when the buffer > full. > > Vladislav Yasevich (2): > rtl8139: Do not consume the packet during overflow in standard mode. > rtl8139: correctly track full receive buffer in standard mode > Self nack. The second patch is wrong. Will resubmit when fixed. -vlad > hw/net/rtl8139.c | 44 +++++++++++++++++++++++++++++++++++++++----- > 1 file changed, 39 insertions(+), 5 deletions(-) >