From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:55230)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ppandit@redhat.com>) id 1a7KZJ-0005ja-Md
	for qemu-devel@nongnu.org; Fri, 11 Dec 2015 05:04:54 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ppandit@redhat.com>) id 1a7KZE-0003zO-Jw
	for qemu-devel@nongnu.org; Fri, 11 Dec 2015 05:04:53 -0500
Received: from mx1.redhat.com ([209.132.183.28]:54059)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ppandit@redhat.com>) id 1a7KZE-0003zG-EN
	for qemu-devel@nongnu.org; Fri, 11 Dec 2015 05:04:48 -0500
Date: Fri, 11 Dec 2015 15:34:34 +0530 (IST)
From: P J P <ppandit@redhat.com>
In-Reply-To: <566A930C.7030901@redhat.com>
Message-ID: <alpine.LFD.2.20.1512111512110.13222@wniryva>
References: <alpine.LFD.2.20.1512021731340.15831@wniryva>
	<66A887B2-7CFF-45F9-AD7F-1381F8B1F318@daynix.com>
	<566105A2.6040508@redhat.com>
	<alpine.LFD.2.20.1512081526300.26684@wniryva>
	<alpine.LFD.2.20.1512091713000.22387@wniryva>
	<566A930C.7030901@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Subject: Re: [Qemu-devel] net: vmxnet3: memory leakage issue
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Jason Wang <jasowang@redhat.com>
Cc: Dmitry Fleytman <dmitry@daynix.com>, Qinghao Tang <luodalongde@gmail.com>, qemu-devel@nongnu.org

  Hello Jason,

+-- On Fri, 11 Dec 2015, Jason Wang wrote --+
| I think it's possible for attacker. Better wait for Dmitry's answer for
| this.

  Okay.
 
| > +    /* Verify if device is active */
| > +    if (s->device_active) {
| > +        VMW_CFPRN("Vmxnet3 device is active");
| > +        return;
| > +    }
| 
| What if guest want to activate a paused device?

  There is a 'resume' operation defined below.
 
| >      case VMXNET3_CMD_QUIESCE_DEV:
| > -        VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - pause the device");
| > -        vmxnet3_deactivate_device(s);
| > +        if (s->device_active & VMXNET3_DEV_ACTIVE) {
| > +            VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - pause the device");
| > +            vmxnet3_pause_device(s);
| > +        } else if (s->device_active & VMXNET3_DEV_PAUSE) {
| > +            VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - resume the device");
| > +            vmxnet3_resume_device(s);
| > +        }
| 
| Not sure this is the correct behavior. Is there a link to the spec?

  I couldn't find a spec for vmxnet3; I referred the vmxnet3 kernel driver, 
which seems to implement suspend & resume functions.

  -> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/drivers/net/vmxnet3/vmxnet3_drv.c

In general, Ethernet documents talk about 'pause' frame mechanism to stop NIC 
from buffering more data, till it has space available to process more, when it 
resumes its operation.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F