From patchwork Tue Jul  8 17:16:46 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Roth <mdroth@linux.vnet.ibm.com>
X-Patchwork-Id: 33467
Return-Path: <patchwork-forward+bncBCX5ZQEZUQNBBRHM7SOQKGQEG7PAOBI@linaro.org>
X-Original-To: linaro@patches.linaro.org
Delivered-To: linaro@patches.linaro.org
Received: from mail-qa0-f72.google.com (mail-qa0-f72.google.com
 [209.85.216.72])
 by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 6C1AA203C0
 for <linaro@patches.linaro.org>; Fri, 11 Jul 2014 00:56:36 +0000 (UTC)
Received: by mail-qa0-f72.google.com with SMTP id s7sf1341863qap.11
 for <linaro@patches.linaro.org>; Thu, 10 Jul 2014 17:56:36 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:delivered-to:from:to:date
 :message-id:in-reply-to:references:cc:subject:precedence:list-id
 :list-unsubscribe:list-archive:list-post:list-help:list-subscribe
 :errors-to:sender:x-original-sender
 :x-original-authentication-results:mailing-list;
 bh=ED2x+TIFUlQvsyhoqoRzZf0ihKOWEWRrjR3hKwmdjJo=;
 b=fTdUHTi2+w6jvyVi3c/o16ymCchkNDttYIUeeH+OPQ+eW1oD90YEqk3Kv/Y8Kn3Ox5
 HYBT84mFfb6/tPcNtK5cyH9cFlL1S4sdzHvIGZgCVqnrEv2irX1ZP1aUjIYOy9iYq5R6
 vIBWJKLZg4ojE62PNgJFRJIyXW9u9vVpZHu5TxanEaUhf5bVDLIq9PVVv4v4uLuSF3TX
 EKJbvlrCXHw3aKTMJ2GhFbcqhvW/ItXdTawpBuABZKX62tZ+rnqK7qS8XDKvZbSds61M
 HhLPoWeN7fRPt5krxuSoFi3taI2bz8es6N9Ejy4xeIJMq+2idNpAAsvjKYTDe6aOiwGY
 uSMQ==
X-Gm-Message-State: ALoCoQlNrTtQcpaEuULFuf6WXoV5fLgPv2S7U0fUSxXdyzZPhFHTmq8c2qD+xy8ISkZxpo88oteP
X-Received: by 10.52.230.71 with SMTP id sw7mr14227185vdc.9.1405040196016;
 Thu, 10 Jul 2014 17:56:36 -0700 (PDT)
MIME-Version: 1.0
X-BeenThere: patchwork-forward@linaro.org
Received: by 10.140.31.116 with SMTP id e107ls244697qge.67.gmail; Thu, 10 Jul
 2014 17:56:35 -0700 (PDT)
X-Received: by 10.52.248.209 with SMTP id yo17mr2964622vdc.60.1405040195923; 
 Thu, 10 Jul 2014 17:56:35 -0700 (PDT)
Received: from mail-vc0-f169.google.com (mail-vc0-f169.google.com
 [209.85.220.169]) by mx.google.com with ESMTPS id
 lt10si590656veb.47.2014.07.10.17.56.35
 for <patchwork-forward@linaro.org>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Thu, 10 Jul 2014 17:56:35 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.220.169 as permitted sender) client-ip=209.85.220.169; 
Received: by mail-vc0-f169.google.com with SMTP id la4so733053vcb.28
 for <patchwork-forward@linaro.org>;
 Thu, 10 Jul 2014 17:56:35 -0700 (PDT)
X-Received: by 10.52.138.7 with SMTP id qm7mr30129834vdb.7.1405040195796;
 Thu, 10 Jul 2014 17:56:35 -0700 (PDT)
X-Forwarded-To: patchwork-forward@linaro.org
X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org
Delivered-To: patch@linaro.org
Received: by 10.221.37.5 with SMTP id tc5csp179971vcb;
 Thu, 10 Jul 2014 17:56:35 -0700 (PDT)
X-Received: by 10.224.26.18 with SMTP id b18mr86453968qac.20.1405040195429; 
 Thu, 10 Jul 2014 17:56:35 -0700 (PDT)
Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11])
 by mx.google.com with ESMTPS id
 h107si1173025qgh.2.2014.07.10.17.56.35 for <patch@linaro.org>
 (version=TLSv1 cipher=RC4-SHA bits=128/128);
 Thu, 10 Jul 2014 17:56:35 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates
 2001:4830:134:3::11 as permitted sender)
 client-ip=2001:4830:134:3::11; 
Received: from localhost ([::1]:58876 helo=lists.gnu.org)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <qemu-devel-bounces+patch=linaro.org@nongnu.org>)
 id 1X4iia-0007xv-4w
 for patch@linaro.org; Tue, 08 Jul 2014 23:38:52 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:39061)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <mdroth@linux.vnet.ibm.com>) id 1X4Z40-00031G-RE
 for qemu-devel@nongnu.org; Tue, 08 Jul 2014 13:20:37 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <mdroth@linux.vnet.ibm.com>) id 1X4Z3q-0007N5-Om
 for qemu-devel@nongnu.org; Tue, 08 Jul 2014 13:20:20 -0400
Received: from e31.co.us.ibm.com ([32.97.110.149]:43606)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <mdroth@linux.vnet.ibm.com>) id 1X4Z3q-0007Kt-Eu
 for qemu-devel@nongnu.org; Tue, 08 Jul 2014 13:20:10 -0400
Received: from /spool/local
 by e31.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use
 Only! Violators will be prosecuted
 for <qemu-devel@nongnu.org> from <mdroth@linux.vnet.ibm.com>;
 Tue, 8 Jul 2014 11:20:09 -0600
Received: from d03dlp03.boulder.ibm.com (9.17.202.179)
 by e31.co.us.ibm.com (192.168.1.131) with IBM ESMTP SMTP Gateway:
 Authorized Use Only! Violators will be prosecuted; 
 Tue, 8 Jul 2014 11:20:06 -0600
Received: from b03cxnp08027.gho.boulder.ibm.com
 (b03cxnp08027.gho.boulder.ibm.com [9.17.130.19])
 by d03dlp03.boulder.ibm.com (Postfix) with ESMTP id E533E19D8045;
 Tue,  8 Jul 2014 11:19:56 -0600 (MDT)
Received: from d03av05.boulder.ibm.com (d03av05.boulder.ibm.com [9.17.195.85])
 by b03cxnp08027.gho.boulder.ibm.com (8.13.8/8.13.8/NCO v10.0) with
 ESMTP id s68HIvmo62062734; Tue, 8 Jul 2014 19:18:57 +0200
Received: from d03av05.boulder.ibm.com (localhost [127.0.0.1])
 by d03av05.boulder.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP
 id s68HK6DQ001916; Tue, 8 Jul 2014 11:20:06 -0600
Received: from localhost ([9.41.105.211])
 by d03av05.boulder.ibm.com (8.14.4/8.14.4/NCO v10.0 AVin) with ESMTP
 id s68HK5ea001905; Tue, 8 Jul 2014 11:20:05 -0600
From: Michael Roth <mdroth@linux.vnet.ibm.com>
To: qemu-devel@nongnu.org
Date: Tue,  8 Jul 2014 12:16:46 -0500
Message-Id: <1404839947-1086-16-git-send-email-mdroth@linux.vnet.ibm.com>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1404839947-1086-1-git-send-email-mdroth@linux.vnet.ibm.com>
References: <1404839947-1086-1-git-send-email-mdroth@linux.vnet.ibm.com>
X-TM-AS-MML: disable
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 14070817-8236-0000-0000-000003ACCF96
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 32.97.110.149
Cc: qemu-stable@nongnu.org
Subject: [Qemu-devel] [PATCH 015/156] hw/net/stellaris_enet: Restructure
 tx_fifo code to avoid buffer overrun
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: <patchwork-forward.linaro.org>
List-Unsubscribe: <mailto:googlegroups-manage+836684582541+unsubscribe@googlegroups.com>, 
 <http://groups.google.com/a/linaro.org/group/patchwork-forward/subscribe>
List-Archive: <http://groups.google.com/a/linaro.org/group/patchwork-forward/>
List-Post: <http://groups.google.com/a/linaro.org/group/patchwork-forward/post>, 
 <mailto:patchwork-forward@linaro.org>
List-Help: <http://support.google.com/a/linaro.org/bin/topic.py?topic=25838>, 
 <mailto:patchwork-forward+help@linaro.org>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org
X-Removed-Original-Auth: Dkim didn't pass.
X-Original-Sender: mdroth@linux.vnet.ibm.com
X-Original-Authentication-Results: mx.google.com; spf=pass (google.com:
 domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.220.169 as permitted sender)
 smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org
Mailing-list: list patchwork-forward@linaro.org;
 contact patchwork-forward+owners@linaro.org
X-Google-Group-Id: 836684582541

From: Peter Maydell <peter.maydell@linaro.org>

The current tx_fifo code has a corner case where the guest can overrun
the fifo buffer: if automatic CRCs are disabled we allow the guest to write
the CRC word even if there isn't actually space for it in the FIFO.
The datasheet is unclear about exactly how the hardware deals with this
situation; the most plausible answer seems to be that the CRC word is
just lost.

Implement this fix by separating the "can we stuff another word in the
FIFO" logic from the "should we transmit the packet now" check. This
also moves us closer to the real hardware, which has a number of ways
it can be configured to trigger sending the packet, some of which we
don't implement.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Cc: qemu-stable@nongnu.org
(cherry picked from commit 5c10495ab1546d5d12b51a97817051e9ec98d0f6)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/net/stellaris_enet.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c
index 9dd77f7..8a1d0d1 100644
--- a/hw/net/stellaris_enet.c
+++ b/hw/net/stellaris_enet.c
@@ -252,10 +252,12 @@ static void stellaris_enet_write(void *opaque, hwaddr offset,
                 s->tx_fifo[s->tx_fifo_len++] = value >> 24;
             }
         } else {
-            s->tx_fifo[s->tx_fifo_len++] = value;
-            s->tx_fifo[s->tx_fifo_len++] = value >> 8;
-            s->tx_fifo[s->tx_fifo_len++] = value >> 16;
-            s->tx_fifo[s->tx_fifo_len++] = value >> 24;
+            if (s->tx_fifo_len + 4 <= ARRAY_SIZE(s->tx_fifo)) {
+                s->tx_fifo[s->tx_fifo_len++] = value;
+                s->tx_fifo[s->tx_fifo_len++] = value >> 8;
+                s->tx_fifo[s->tx_fifo_len++] = value >> 16;
+                s->tx_fifo[s->tx_fifo_len++] = value >> 24;
+            }
             if (s->tx_fifo_len >= s->tx_frame_len) {
                 /* We don't implement explicit CRC, so just chop it off.  */
                 if ((s->tctl & SE_TCTL_CRC) == 0)