[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[qemu-xen stable-4.14] Fix tulip breakage

commit d723a57acd985cf5c9fdf8a2761d1ca53a3179c0
Author:     Helge Deller <deller@xxxxxx>
AuthorDate: Sun Apr 26 12:55:39 2020 +0200
Commit:     Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
CommitDate: Mon Aug 24 19:12:04 2020 -0500

    Fix tulip breakage
    
    The tulip network driver in a qemu-system-hppa emulation is broken in
    the sense that bigger network packages aren't received any longer and
    thus even running e.g. "apt update" inside the VM fails.
    
    The breakage was introduced by commit 8ffb7265af ("check frame size and
    r/w data length") which added checks to prevent accesses outside of the
    rx/tx buffers.
    
    But the new checks were implemented wrong. The variable rx_frame_len
    counts backwards, from rx_frame_size down to zero, and the variable len
    is never bigger than rx_frame_len, so accesses just can't happen and the
    checks are unnecessary.
    On the contrary the checks now prevented bigger packages to be moved
    into the rx buffers.
    
    This patch reverts the wrong checks and were sucessfully tested with a
    qemu-system-hppa emulation.
    
    Fixes: 8ffb7265af ("check frame size and r/w data length")
    Buglink: https://bugs.launchpad.net/bugs/1874539
    Signed-off-by: Helge Deller <deller@xxxxxx>
    Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
    (cherry picked from commit d9b69640391618045949f7c500b87fc129f862ed)
    Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
---
 hw/net/tulip.c | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/hw/net/tulip.c b/hw/net/tulip.c
index 1295f51d07..44db56447c 100644
--- a/hw/net/tulip.c
+++ b/hw/net/tulip.c
@@ -171,9 +171,6 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct 
tulip_descriptor *desc)
             len = s->rx_frame_len;
         }
 
-        if (s->rx_frame_len + len > sizeof(s->rx_frame)) {
-            return;
-        }
         pci_dma_write(&s->dev, desc->buf_addr1, s->rx_frame +
             (s->rx_frame_size - s->rx_frame_len), len);
         s->rx_frame_len -= len;
@@ -186,9 +183,6 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct 
tulip_descriptor *desc)
             len = s->rx_frame_len;
         }
 
-        if (s->rx_frame_len + len > sizeof(s->rx_frame)) {
-            return;
-        }
         pci_dma_write(&s->dev, desc->buf_addr2, s->rx_frame +
             (s->rx_frame_size - s->rx_frame_len), len);
         s->rx_frame_len -= len;
--
generated by git-patchbot for /home/xen/git/qemu-xen.git#stable-4.14

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.