[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 18/77] Fix tulip breakage
|
From: |
Michael Roth |
|
Subject: |
[PATCH 18/77] Fix tulip breakage |
|
Date: |
Thu, 3 Sep 2020 15:58:36 -0500 |
From: Helge Deller <deller@gmx.de>
The tulip network driver in a qemu-system-hppa emulation is broken in
the sense that bigger network packages aren't received any longer and
thus even running e.g. "apt update" inside the VM fails.
The breakage was introduced by commit 8ffb7265af ("check frame size and
r/w data length") which added checks to prevent accesses outside of the
rx/tx buffers.
But the new checks were implemented wrong. The variable rx_frame_len
counts backwards, from rx_frame_size down to zero, and the variable len
is never bigger than rx_frame_len, so accesses just can't happen and the
checks are unnecessary.
On the contrary the checks now prevented bigger packages to be moved
into the rx buffers.
This patch reverts the wrong checks and were sucessfully tested with a
qemu-system-hppa emulation.
Fixes: 8ffb7265af ("check frame size and r/w data length")
Buglink: https://bugs.launchpad.net/bugs/1874539
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit d9b69640391618045949f7c500b87fc129f862ed)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
hw/net/tulip.c | 6 ------
1 file changed, 6 deletions(-)
diff --git a/hw/net/tulip.c b/hw/net/tulip.c
index 1295f51d07..44db56447c 100644
--- a/hw/net/tulip.c
+++ b/hw/net/tulip.c
@@ -171,9 +171,6 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct
tulip_descriptor *desc)
len = s->rx_frame_len;
}
- if (s->rx_frame_len + len > sizeof(s->rx_frame)) {
- return;
- }
pci_dma_write(&s->dev, desc->buf_addr1, s->rx_frame +
(s->rx_frame_size - s->rx_frame_len), len);
s->rx_frame_len -= len;
@@ -186,9 +183,6 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct
tulip_descriptor *desc)
len = s->rx_frame_len;
}
- if (s->rx_frame_len + len > sizeof(s->rx_frame)) {
- return;
- }
pci_dma_write(&s->dev, desc->buf_addr2, s->rx_frame +
(s->rx_frame_size - s->rx_frame_len), len);
s->rx_frame_len -= len;
--
2.17.1
- [PATCH 00/77] Patch Round-up for stable 5.0.1, freeze on 2020-09-10, Michael Roth, 2020/09/03
- [PATCH 10/77] block: Call attention to truncation of long NBD exports, Michael Roth, 2020/09/03
- [PATCH 09/77] virtio-balloon: unref the iothread when unrealizing, Michael Roth, 2020/09/03
- [PATCH 11/77] 9pfs: local: ignore O_NOATIME if we don't have permissions, Michael Roth, 2020/09/03
- [PATCH 13/77] xen-9pfs: Fix log messages of reply errors, Michael Roth, 2020/09/03
- [PATCH 12/77] 9pfs: include linux/limits.h for XATTR_SIZE_MAX, Michael Roth, 2020/09/03
- [PATCH 15/77] xen/9pfs: yield when there isn't enough room on the ring, Michael Roth, 2020/09/03
- [PATCH 14/77] Revert "9p: init_in_iov_from_pdu can truncate the size", Michael Roth, 2020/09/03
- [PATCH 16/77] ati-vga: check mm_index before recursive call (CVE-2020-13800), Michael Roth, 2020/09/03
- [PATCH 18/77] Fix tulip breakage,
Michael Roth <=
- [PATCH 17/77] es1370: check total frame count against current frame, Michael Roth, 2020/09/03
- [PATCH 19/77] iotests/283: Use consistent size for source and target, Michael Roth, 2020/09/03
- [PATCH 20/77] virtiofsd: add --rlimit-nofile=NUM option, Michael Roth, 2020/09/03
- [PATCH 01/77] hostmem: don't use mbind() if host-nodes is empty, Michael Roth, 2020/09/03
- [PATCH 21/77] virtiofsd: stay below fs.file-max sysctl value (CVE-2020-10717), Michael Roth, 2020/09/03
- [PATCH 23/77] KVM: x86: believe what KVM says about WAITPKG, Michael Roth, 2020/09/03
- [PATCH 22/77] net: use peer when purging queue in qemu_flush_or_purge_queue_packets(), Michael Roth, 2020/09/03
- [PATCH 24/77] aio-posix: don't duplicate fd handler deletion in fdmon_io_uring_destroy(), Michael Roth, 2020/09/03
- [PATCH 25/77] aio-posix: disable fdmon-io_uring when GSource is used, Michael Roth, 2020/09/03
- [PATCH 26/77] linux-user/strace.list: fix epoll_create{, 1} -strace output, Michael Roth, 2020/09/03