qemu-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] 9010b0: hw/net/vmxnet3: Do not abort QEMU if


From: Peter Maydell
Subject: [Qemu-commits] [qemu/qemu] 9010b0: hw/net/vmxnet3: Do not abort QEMU if guest specifi...
Date: Mon, 02 Aug 2021 01:47:41 -0700

  Branch: refs/heads/staging
  Home:   https://github.com/qemu/qemu
  Commit: 9010b0c7a9a097590e183f63716091f6c42a223f
      
https://github.com/qemu/qemu/commit/9010b0c7a9a097590e183f63716091f6c42a223f
  Author: Thomas Huth <thuth@redhat.com>
  Date:   2021-08-02 (Mon, 02 Aug 2021)

  Changed paths:
    M hw/net/vmxnet3.c

  Log Message:
  -----------
  hw/net/vmxnet3: Do not abort QEMU if guest specified bad queue numbers

QEMU should never terminate unexpectedly just because the guest is
doing something wrong like specifying wrong queue numbers. Let's
simply refuse to set the device active in this case.

Buglink: https://bugs.launchpad.net/qemu/+bug/1890160
Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>


  Commit: 11744862f27b9ba6488a247d2fd6bb83d9bc3c8d
      
https://github.com/qemu/qemu/commit/11744862f27b9ba6488a247d2fd6bb83d9bc3c8d
  Author: Pavel Pisa <pisa@cmp.felk.cvut.cz>
  Date:   2021-08-02 (Mon, 02 Aug 2021)

  Changed paths:
    M hw/net/can/can_sja1000.c

  Log Message:
  -----------
  hw/net/can: sja1000 fix buff2frame_bas and buff2frame_pel when dlc is out of 
std CAN 8 bytes

Problem reported by openEuler fuzz-sig group.

The buff2frame_bas function (hw\net\can\can_sja1000.c)
infoleak(qemu5.x~qemu6.x) or stack-overflow(qemu 4.x).

Reported-by: Qiang Ning <ningqiang1@huawei.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Pavel Pisa <pisa@cmp.felk.cvut.cz>
Signed-off-by: Jason Wang <jasowang@redhat.com>


  Commit: a1d7e475beb5c9e7a8e1213f29b0d20a208a9ade
      
https://github.com/qemu/qemu/commit/a1d7e475beb5c9e7a8e1213f29b0d20a208a9ade
  Author: Christina Wang <christina.wang@windriver.com>
  Date:   2021-08-02 (Mon, 02 Aug 2021)

  Changed paths:
    M hw/core/machine.c
    M hw/net/e1000.c

  Log Message:
  -----------
  hw/net: e1000: Correct the initial value of VET register

The initial value of VLAN Ether Type (VET) register is 0x8100, as per
the manual and real hardware.

While Linux e1000 driver always writes VET register to 0x8100, it is
not always the case for everyone. Drivers relying on the reset value
of VET won't be able to transmit and receive VLAN frames in QEMU.

Reported-by: Markus Carlstedt <markus.carlstedt@windriver.com>
Signed-off-by: Christina Wang <christina.wang@windriver.com>
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>


  Commit: d897056960fb379302cc9b656b899829f571eb6e
      
https://github.com/qemu/qemu/commit/d897056960fb379302cc9b656b899829f571eb6e
  Author: Christina Wang <christina.wang@windriver.com>
  Date:   2021-08-02 (Mon, 02 Aug 2021)

  Changed paths:
    M hw/core/machine.c
    M hw/net/e1000e.c
    M hw/net/e1000e_core.c

  Log Message:
  -----------
  hw/net: e1000e: Correct the initial value of VET register

The initial value of VLAN Ether Type (VET) register is 0x8100, as per
the manual and real hardware.

While Linux e1000e driver always writes VET register to 0x8100, it is
not always the case for everyone. Drivers relying on the reset value
of VET won't be able to transmit and receive VLAN frames in QEMU.

Unlike e1000 in QEMU, e1000e uses a field 'vet' in "struct E1000Core"
to cache the value of VET register, but the cache only gets updated
when VET register is written. To always get a consistent VET value
no matter VET is written or remains its reset value, drop the 'vet'
field and use 'core->mac[VET]' directly.

Reported-by: Markus Carlstedt <markus.carlstedt@windriver.com>
Signed-off-by: Christina Wang <christina.wang@windriver.com>
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>


  Commit: cfe6d6841ff46b43ec38792422f690813f4ce3bf
      
https://github.com/qemu/qemu/commit/cfe6d6841ff46b43ec38792422f690813f4ce3bf
  Author: Christina Wang <christina.wang@windriver.com>
  Date:   2021-08-02 (Mon, 02 Aug 2021)

  Changed paths:
    M hw/net/e1000e_core.c

  Log Message:
  -----------
  hw/net: e1000e: Don't zero out the VLAN tag in the legacy RX descriptor

In the legacy RX descriptor mode, VLAN tag was saved to d->special
by e1000e_build_rx_metadata() in e1000e_write_lgcy_rx_descr(), but
it was then zeroed out again at the end of the call, which is wrong.

Fixes: c89d416a2b0f ("e1000e: Don't zero out buffer address in rx descriptor")
Reported-by: Markus Carlstedt <markus.carlstedt@windriver.com>
Signed-off-by: Christina Wang <christina.wang@windriver.com>
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>


  Commit: 10a3c4a4b3e14208cfed274514d1911e5230935f
      
https://github.com/qemu/qemu/commit/10a3c4a4b3e14208cfed274514d1911e5230935f
  Author: Peter Maydell <peter.maydell@linaro.org>
  Date:   2021-08-02 (Mon, 02 Aug 2021)

  Changed paths:
    M hw/core/machine.c
    M hw/net/can/can_sja1000.c
    M hw/net/e1000.c
    M hw/net/e1000e.c
    M hw/net/e1000e_core.c
    M hw/net/vmxnet3.c

  Log Message:
  -----------
  Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into 
staging

# gpg: Signature made Mon 02 Aug 2021 05:23:19 BST
# gpg:                using RSA key EF04965B398D6211
# gpg: Good signature from "Jason Wang (Jason Wang on RedHat) 
<jasowang@redhat.com>" [marginal]
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 215D 46F4 8246 689E C77F  3562 EF04 965B 398D 6211

* remotes/jasowang/tags/net-pull-request:
  hw/net: e1000e: Don't zero out the VLAN tag in the legacy RX descriptor
  hw/net: e1000e: Correct the initial value of VET register
  hw/net: e1000: Correct the initial value of VET register
  hw/net/can: sja1000 fix buff2frame_bas and buff2frame_pel when dlc is out of 
std CAN 8 bytes
  hw/net/vmxnet3: Do not abort QEMU if guest specified bad queue numbers

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>


Compare: https://github.com/qemu/qemu/compare/0c633cf0c221...10a3c4a4b3e1



reply via email to

[Prev in Thread] Current Thread [Next in Thread]