qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RFC PATCH 0/3] hw/net/tulip: Fix LP#1874539

From: Jason Wang
Subject: Re: [RFC PATCH 0/3] hw/net/tulip: Fix LP#1874539
Date: Sun, 26 Apr 2020 10:49:13 +0800
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 

On 2020/4/24 下午11:27, Helge Deller wrote:

* Philippe Mathieu-Daudé <address@hidden>:

Attempt to fix the launchpad bug filled by Helge:

   In a qemu-system-hppa system, qemu release v5.0.0-rc,
   the tulip nic driver is broken.  The tulip nic is detected,
   even getting DHCP info does work.  But when trying to
   download bigger files via network, the tulip driver gets
   stuck.

Philippe Mathieu-Daudé (3):
   hw/net/tulip: Fix 'Descriptor Error' definition
   hw/net/tulip: Log descriptor overflows
   hw/net/tulip: Set descriptor error bit when lenght is incorrect

  hw/net/tulip.h |  2 +-
  hw/net/tulip.c | 32 ++++++++++++++++++++++++++++----
  2 files changed, 29 insertions(+), 5 deletions(-)

Philippe, thanks for your efforts. Sadly your patch did not fixed the
bug itself, but it had some nice cleanups which should be included at
some point.

Regarding the tulip hang reported by me, the patch below does fix the
issue.

[PATCH] Fix tulip rx hang
Cc: Prasad J Pandit <address@hidden>
Fixes: 8ffb7265af ("check frame size and r/w data length")
Buglink: https://bugs.launchpad.net/bugs/1874539
Signed-off-by: Helge Deller <address@hidden>

Commit 8ffb7265af ("check frame size and r/w data length") introduced
checks to prevent accesses outside of the rx/tx buffers. But the new
checks were plain wrong. rx_frame_len does count backwards, and the
surrounding code ensures that rx_frame_len will not be bigger than
rx_frame_size. Remove those checks again.

diff --git a/hw/net/tulip.c b/hw/net/tulip.c
index 1295f51d07..59d21defcc 100644
--- a/hw/net/tulip.c
+++ b/hw/net/tulip.c
@@ -171,9 +171,6 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct 
tulip_descriptor *desc)
              len = s->rx_frame_len;
          }

-        if (s->rx_frame_len + len > sizeof(s->rx_frame)) {
-            return;
-        }
          pci_dma_write(&s->dev, desc->buf_addr1, s->rx_frame +
              (s->rx_frame_size - s->rx_frame_len), len);
          s->rx_frame_len -= len;
@@ -186,9 +183,6 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct 
tulip_descriptor *desc)
              len = s->rx_frame_len;
          }

-        if (s->rx_frame_len + len > sizeof(s->rx_frame)) {
-            return;
-        }
          pci_dma_write(&s->dev, desc->buf_addr2, s->rx_frame +
              (s->rx_frame_size - s->rx_frame_len), len);
          s->rx_frame_len -= len;



Looks good to me.

Would you please send a formal patch and cc Peter.
Consider we are about to release 5.0, it's better for him to apply the patch directly. 

Thanks
reply via email to
[Prev in Thread] Current Thread [Next in Thread]