|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [qemu-xen master] e1000: fix tx re-entrancy problem
commit 43583f0c079b084ada9214c00125e21bbfc6266a
Author: Jon Maloy <jmaloy@xxxxxxxxxx>
AuthorDate: Thu Oct 21 12:10:47 2021 -0400
Commit: Michael Roth <michael.roth@xxxxxxx>
CommitDate: Tue Dec 14 17:40:06 2021 -0600
e1000: fix tx re-entrancy problem
The fact that the MMIO handler is not re-entrant causes an infinite
loop under certain conditions:
Guest write to TDT -> Loopback -> RX (DMA to TDT) -> TX
We now eliminate the effect of this problem locally in e1000, by adding
a boolean in struct E1000State indicating when the TX side is busy. This
will cause any entering new call to return early instead of interfering
with the ongoing work, and eliminates any risk of looping.
This is intended to address CVE-2021-20257.
Signed-off-by: Jon Maloy <jmaloy@xxxxxxxxxx>
Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
(cherry picked from commit 25ddb946e6301f42cff3094ea1c25fb78813e7e9)
Signed-off-by: Michael Roth <michael.roth@xxxxxxx>
---
hw/net/e1000.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/hw/net/e1000.c b/hw/net/e1000.c
index a30546c5d5..f5bc81296d 100644
--- a/hw/net/e1000.c
+++ b/hw/net/e1000.c
@@ -107,6 +107,7 @@ struct E1000State_st {
e1000x_txd_props props;
e1000x_txd_props tso_props;
uint16_t tso_frames;
+ bool busy;
} tx;
struct {
@@ -763,6 +764,11 @@ start_xmit(E1000State *s)
return;
}
+ if (s->tx.busy) {
+ return;
+ }
+ s->tx.busy = true;
+
while (s->mac_reg[TDH] != s->mac_reg[TDT]) {
base = tx_desc_base(s) +
sizeof(struct e1000_tx_desc) * s->mac_reg[TDH];
@@ -789,6 +795,7 @@ start_xmit(E1000State *s)
break;
}
}
+ s->tx.busy = false;
set_ics(s, 0, cause);
}
--
generated by git-patchbot for /home/xen/git/qemu-xen.git#master
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |