[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 34e29c: net: pcnet: check rx/tx descriptor ri
From: |
GitHub |
Subject: |
[Qemu-commits] [qemu/qemu] 34e29c: net: pcnet: check rx/tx descriptor ring length |
Date: |
Thu, 27 Oct 2016 06:00:05 -0700 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: 34e29ce754c02bb6b3bdd244fbb85033460feaff
https://github.com/qemu/qemu/commit/34e29ce754c02bb6b3bdd244fbb85033460feaff
Author: Prasad J Pandit <address@hidden>
Date: 2016-10-26 (Wed, 26 Oct 2016)
Changed paths:
M hw/net/pcnet.c
Log Message:
-----------
net: pcnet: check rx/tx descriptor ring length
The AMD PC-Net II emulator has set of control and status(CSR)
registers. Of these, CSR76 and CSR78 hold receive and transmit
descriptor ring length respectively. This ring length could range
from 1 to 65535. Setting ring length to zero leads to an infinite
loop in pcnet_rdra_addr() or pcnet_transmit(). Add check to avoid it.
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: 67aa4493444c6bda0eca14a027653dd426bede97
https://github.com/qemu/qemu/commit/67aa4493444c6bda0eca14a027653dd426bede97
Author: Prasad J Pandit <address@hidden>
Date: 2016-10-26 (Wed, 26 Oct 2016)
Changed paths:
M hw/net/pcnet.c
Log Message:
-----------
net: pcnet: fix source formatting and indentation
Fix indentations and source format at few places. Add braces
around 'if' and 'while' statements.
Signed-off-by: Prasad J Pandit <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: 9463c0778b122dee31de3e0883c6564c31d894a4
https://github.com/qemu/qemu/commit/9463c0778b122dee31de3e0883c6564c31d894a4
Author: Brad Smith <address@hidden>
Date: 2016-10-26 (Wed, 26 Oct 2016)
Changed paths:
M net/tap-bsd.c
Log Message:
-----------
tap-bsd: OpenBSD uses tap(4) now
Update the tap-bsd code now that OpenBSD uses tap(4).
Signed-off-by: Brad Smith <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: 2634ab7fe29b3f75d0865b719caf8f310d634aae
https://github.com/qemu/qemu/commit/2634ab7fe29b3f75d0865b719caf8f310d634aae
Author: Li Qiang <address@hidden>
Date: 2016-10-26 (Wed, 26 Oct 2016)
Changed paths:
M hw/net/eepro100.c
Log Message:
-----------
net: eepro100: fix memory leak in device uninit
The exit dispatch of eepro100 network card device doesn't free
the 's->vmstate' field which was allocated in device realize thus
leading a host memory leak. This patch avoid this.
Signed-off-by: Li Qiang <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: 8caed3d564672e8bc6d2e4c6a35228afd01f4723
https://github.com/qemu/qemu/commit/8caed3d564672e8bc6d2e4c6a35228afd01f4723
Author: Prasad J Pandit <address@hidden>
Date: 2016-10-26 (Wed, 26 Oct 2016)
Changed paths:
M hw/net/rocker/rocker.c
Log Message:
-----------
net: rocker: set limit to DMA buffer size
Rocker network switch emulator has test registers to help debug
DMA operations. While testing host DMA access, a buffer address
is written to register 'TEST_DMA_ADDR' and its size is written to
register 'TEST_DMA_SIZE'. When performing TEST_DMA_CTRL_INVERT
test, if DMA buffer size was greater than 'INT_MAX', it leads to
an invalid buffer access. Limit the DMA buffer size to avoid it.
Reported-by: Huawei PSIRT <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Reviewed-by: Jiri Pirko <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: c89d416a2b0fb6a21224186b10af4c4a3feee31b
https://github.com/qemu/qemu/commit/c89d416a2b0fb6a21224186b10af4c4a3feee31b
Author: Kevin Wolf <address@hidden>
Date: 2016-10-26 (Wed, 26 Oct 2016)
Changed paths:
M hw/net/e1000e_core.c
Log Message:
-----------
e1000e: Don't zero out buffer address in rx descriptor
The e1000e emulation zeroes out any used rx descriptor and then writes a
completely newly constructed value there. By doing this, it doesn't only
update the write-back area of the descriptors (as it's supposed to do),
but it also clears the buffer address, which real hardware doesn't do.
The spec explicitly mentions in chapter 7.1.8 that it is valid for a
driver to reuse a descriptor and only update the status field while
doing so, i.e. reusing the old buffer address:
If software statically allocates buffers, and uses memory read to
check for completed descriptors, it simply has to zero the status
byte in the descriptor to make it ready for reuse by hardware.
This patch fixes the behaviour to leave the buffer address in
descriptors unchanged even after the descriptor has been used.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Dmitry Fleytman <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: fdda170e50b8af062cf5741e12c4fb5e57a2eacf
https://github.com/qemu/qemu/commit/fdda170e50b8af062cf5741e12c4fb5e57a2eacf
Author: Li Qiang <address@hidden>
Date: 2016-10-26 (Wed, 26 Oct 2016)
Changed paths:
M hw/net/vmxnet3.c
Log Message:
-----------
net: vmxnet: initialise local tx descriptor
In Vmxnet3 device emulator while processing transmit(tx) queue,
when it reaches end of packet, it calls vmxnet3_complete_packet.
In that local 'txcq_descr' object is not initialised, which could
leak host memory bytes a guest.
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Reviewed-by: Dmitry Fleytman <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: c7c35916692fe010fef25ac338443d3fe40be225
https://github.com/qemu/qemu/commit/c7c35916692fe010fef25ac338443d3fe40be225
Author: Prasad J Pandit <address@hidden>
Date: 2016-10-26 (Wed, 26 Oct 2016)
Changed paths:
M hw/net/rtl8139.c
Log Message:
-----------
net: rtl8139: limit processing of ring descriptors
RTL8139 ethernet controller in C+ mode supports multiple
descriptor rings, each with maximum of 64 descriptors. While
processing transmit descriptor ring in 'rtl8139_cplus_transmit',
it does not limit the descriptor count and runs forever. Add
check to avoid it.
Reported-by: Andrew Henderson <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: 2061c14c9bea67f8f1fc6bc7acb33c903a0586c1
https://github.com/qemu/qemu/commit/2061c14c9bea67f8f1fc6bc7acb33c903a0586c1
Author: Zhang Chen <address@hidden>
Date: 2016-10-26 (Wed, 26 Oct 2016)
Changed paths:
M net/colo-compare.c
M net/filter-rewriter.c
M net/trace-events
Log Message:
-----------
colo-proxy: fix memory leak
Fix memory leak in colo-compare.c and filter-rewriter.c
Report by Coverity and add some comments.
Signed-off-by: Zhang Chen <address@hidden>
Reviewed-by: zhanghailiang <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Commit: 8f9d84df97a3d73544ed2098dd1872fb43e0052d
https://github.com/qemu/qemu/commit/8f9d84df97a3d73544ed2098dd1872fb43e0052d
Author: Peter Maydell <address@hidden>
Date: 2016-10-27 (Thu, 27 Oct 2016)
Changed paths:
M hw/net/e1000e_core.c
M hw/net/eepro100.c
M hw/net/pcnet.c
M hw/net/rocker/rocker.c
M hw/net/rtl8139.c
M hw/net/vmxnet3.c
M net/colo-compare.c
M net/filter-rewriter.c
M net/tap-bsd.c
M net/trace-events
Log Message:
-----------
Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into
staging
# gpg: Signature made Wed 26 Oct 2016 03:19:06 BST
# gpg: using RSA key 0xEF04965B398D6211
# gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <address@hidden>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211
* remotes/jasowang/tags/net-pull-request:
colo-proxy: fix memory leak
net: rtl8139: limit processing of ring descriptors
net: vmxnet: initialise local tx descriptor
e1000e: Don't zero out buffer address in rx descriptor
net: rocker: set limit to DMA buffer size
net: eepro100: fix memory leak in device uninit
tap-bsd: OpenBSD uses tap(4) now
net: pcnet: fix source formatting and indentation
net: pcnet: check rx/tx descriptor ring length
Signed-off-by: Peter Maydell <address@hidden>
Compare: https://github.com/qemu/qemu/compare/991a97ac7434...8f9d84df97a3
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] 34e29c: net: pcnet: check rx/tx descriptor ring length,
GitHub <=