[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 13/16] hw/net/lan9118: Fix overflow in MIL TX FIFO
From: |
Philippe Mathieu-Daudé |
Subject: |
[PULL 13/16] hw/net/lan9118: Fix overflow in MIL TX FIFO |
Date: |
Wed, 10 Apr 2024 11:13:12 +0200 |
When the MAC Interface Layer (MIL) transmit FIFO is full,
truncate the packet, and raise the Transmitter Error (TXE)
flag.
Broken since model introduction in commit 2a42499017
("LAN9118 emulation").
When using the reproducer from
https://gitlab.com/qemu-project/qemu/-/issues/2267 we get:
hw/net/lan9118.c:798:17: runtime error:
index 2048 out of bounds for type 'uint8_t[2048]' (aka 'unsigned char[2048]')
#0 0x563ec9a057b1 in tx_fifo_push hw/net/lan9118.c:798:43
#1 0x563ec99fbb28 in lan9118_writel hw/net/lan9118.c:1042:9
#2 0x563ec99f2de2 in lan9118_16bit_mode_write hw/net/lan9118.c:1205:9
#3 0x563ecbf78013 in memory_region_write_accessor system/memory.c:497:5
#4 0x563ecbf776f5 in access_with_adjusted_size system/memory.c:573:18
#5 0x563ecbf75643 in memory_region_dispatch_write system/memory.c:1521:16
#6 0x563ecc01bade in flatview_write_continue_step system/physmem.c:2713:18
#7 0x563ecc01b374 in flatview_write_continue system/physmem.c:2743:19
#8 0x563ecbff1c9b in flatview_write system/physmem.c:2774:12
#9 0x563ecbff1768 in address_space_write system/physmem.c:2894:18
...
[*] LAN9118 DS00002266B.pdf, Table 5.3.3 "INTERRUPT STATUS REGISTER"
Cc: qemu-stable@nongnu.org
Reported-by: Will Lester
Reported-by: Chuhong Yuan <hslester96@gmail.com>
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2267
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20240409133801.23503-3-philmd@linaro.org>
---
hw/net/lan9118.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c
index 8214569a2c..91d81b410b 100644
--- a/hw/net/lan9118.c
+++ b/hw/net/lan9118.c
@@ -799,8 +799,22 @@ static void tx_fifo_push(lan9118_state *s, uint32_t val)
/* Documentation is somewhat unclear on the ordering of bytes
in FIFO words. Empirical results show it to be little-endian.
*/
- /* TODO: FIFO overflow checking. */
while (n--) {
+ if (s->txp->len == MIL_TXFIFO_SIZE) {
+ /*
+ * No more space in the FIFO. The datasheet is not
+ * precise about this case. We choose what is easiest
+ * to model: the packet is truncated, and TXE is raised.
+ *
+ * Note, it could be a fragmented packet, but we currently
+ * do not handle that (see earlier TX_B case).
+ */
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "MIL TX FIFO overrun, discarding %u
byte%s\n",
+ n, n > 1 ? "s" : "");
+ s->int_sts |= TXE_INT;
+ break;
+ }
s->txp->data[s->txp->len] = val & 0xff;
s->txp->len++;
val >>= 8;
--
2.41.0
- [PULL 04/16] hw/virtio/virtio-crypto: Protect from DMA re-entrancy bugs, (continued)
- [PULL 04/16] hw/virtio/virtio-crypto: Protect from DMA re-entrancy bugs, Philippe Mathieu-Daudé, 2024/04/10
- [PULL 03/16] hw/char/virtio-serial-bus: Protect from DMA re-entrancy bugs, Philippe Mathieu-Daudé, 2024/04/10
- [PULL 05/16] qemu-options: Fix CXL Fixed Memory Window interleave-granularity typo, Philippe Mathieu-Daudé, 2024/04/10
- [PULL 06/16] hw/block/nand: Factor nand_load_iolen() method out, Philippe Mathieu-Daudé, 2024/04/10
- [PULL 07/16] hw/block/nand: Have blk_load() take unsigned offset and return boolean, Philippe Mathieu-Daudé, 2024/04/10
- [PULL 08/16] hw/block/nand: Fix out-of-bound access in NAND block buffer, Philippe Mathieu-Daudé, 2024/04/10
- [PULL 09/16] hw/misc/applesmc: Do not call DeviceReset from DeviceRealize, Philippe Mathieu-Daudé, 2024/04/10
- [PULL 10/16] hw/misc/applesmc: Fix memory leak in reset() handler, Philippe Mathieu-Daudé, 2024/04/10
- [PULL 11/16] backends/cryptodev: Do not abort for invalid session ID, Philippe Mathieu-Daudé, 2024/04/10
- [PULL 12/16] hw/net/lan9118: Replace magic '2048' value by MIL_TXFIFO_SIZE definition, Philippe Mathieu-Daudé, 2024/04/10
- [PULL 13/16] hw/net/lan9118: Fix overflow in MIL TX FIFO,
Philippe Mathieu-Daudé <=
- [PULL 14/16] hw/sd/sdhci: Do not update TRNMOD when Command Inhibit (DAT) is set, Philippe Mathieu-Daudé, 2024/04/10
- [PULL 16/16] hw/audio/virtio-snd: Remove unused assignment, Philippe Mathieu-Daudé, 2024/04/10
- [PULL 15/16] hw/net/net_tx_pkt: Fix overrun in update_sctp_checksum(), Philippe Mathieu-Daudé, 2024/04/10
- Re: [PULL 00/16] Misc HW patches for 2024-04-10, Peter Maydell, 2024/04/10