From patchwork Tue May 13 15:31:25 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 30066 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-ob0-f199.google.com (mail-ob0-f199.google.com [209.85.214.199]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id EEE4420369 for ; Tue, 13 May 2014 15:34:27 +0000 (UTC) Received: by mail-ob0-f199.google.com with SMTP id wm4sf2240731obc.2 for ; Tue, 13 May 2014 08:34:27 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:delivered-to:from:to:date :message-id:in-reply-to:references:cc:subject:precedence:list-id :list-unsubscribe:list-archive:list-post:list-help:list-subscribe :errors-to:sender:x-original-sender :x-original-authentication-results:mailing-list; bh=qJ2lWG62yvOj4FPLmpyMiH9hu83GnF4xKT56dEJgslI=; b=MtkwMG4IqXsVlpndt6w0KCHLUxM9l1OW3crj2fBpGdenh20DXRAXalAf9S8o2mlO4J CtrLp+hdEh/Tr5smuna8SVg+saCTXfWDWTJt1rfG3aOpphzN7E2UJUInxkZRr7XHeMeK NGxbHr3plb4Od+lUlYiI1oUxqy9Wt5cUyqZYlnvl+TzXUneOi8sFoQkaCwZIATEHg+8F ePAo8v13muATvKHffIZchjir+fFfXpIMjBNbOg2d+VL5TNbmY0ha6bpszcZIVG1cRy3A MN6lxA9dB4CzXSIihciyQNJHi+rRghJ5VnqMswKbsMCONSmd/nu36S2x1DzFmRA3jM2p B7Ig== X-Gm-Message-State: ALoCoQk1Fdd9K7hgZz3J3HzSPJNmmmwBo6J0YSfLwET7TqruLRie+BeqXGyLMspdmNcAGbbrx2/p X-Received: by 10.182.87.2 with SMTP id t2mr17658363obz.2.1399995267350; Tue, 13 May 2014 08:34:27 -0700 (PDT) MIME-Version: 1.0 X-BeenThere: patchwork-forward@linaro.org Received: by 10.140.49.231 with SMTP id q94ls1999527qga.28.gmail; Tue, 13 May 2014 08:34:27 -0700 (PDT) X-Received: by 10.220.182.5 with SMTP id ca5mr859982vcb.50.1399995267191; Tue, 13 May 2014 08:34:27 -0700 (PDT) Received: from mail-vc0-f171.google.com (mail-vc0-f171.google.com [209.85.220.171]) by mx.google.com with ESMTPS id dx1si2710545vcb.106.2014.05.13.08.34.27 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 13 May 2014 08:34:27 -0700 (PDT) Received-SPF: pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.220.171 as permitted sender) client-ip=209.85.220.171; Received: by mail-vc0-f171.google.com with SMTP id lc6so680595vcb.16 for ; Tue, 13 May 2014 08:34:27 -0700 (PDT) X-Received: by 10.58.38.40 with SMTP id d8mr670441vek.61.1399995267117; Tue, 13 May 2014 08:34:27 -0700 (PDT) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patch@linaro.org Received: by 10.220.221.72 with SMTP id ib8csp160590vcb; Tue, 13 May 2014 08:34:26 -0700 (PDT) X-Received: by 10.14.207.199 with SMTP id n47mr14156024eeo.49.1399995265931; Tue, 13 May 2014 08:34:25 -0700 (PDT) Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11]) by mx.google.com with ESMTPS id l44si13453479eem.163.2014.05.13.08.34.25 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 13 May 2014 08:34:25 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) client-ip=2001:4830:134:3::11; Received: from localhost ([::1]:45873 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WkEim-0002vU-8c for patch@linaro.org; Tue, 13 May 2014 11:34:24 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:42220) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WkEgL-00083K-Jv for qemu-devel@nongnu.org; Tue, 13 May 2014 11:31:54 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WkEgK-0006BF-Fp for qemu-devel@nongnu.org; Tue, 13 May 2014 11:31:53 -0400 Received: from mnementh.archaic.org.uk ([2001:8b0:1d0::1]:48125) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WkEgK-00066p-9i for qemu-devel@nongnu.org; Tue, 13 May 2014 11:31:52 -0400 Received: from pm215 by mnementh.archaic.org.uk with local (Exim 4.80) (envelope-from ) id 1WkEg7-0006wF-9Z; Tue, 13 May 2014 16:31:39 +0100 From: Peter Maydell To: Anthony Liguori Date: Tue, 13 May 2014 16:31:25 +0100 Message-Id: <1399995099-26635-4-git-send-email-peter.maydell@linaro.org> X-Mailer: git-send-email 1.7.10.4 In-Reply-To: <1399995099-26635-1-git-send-email-peter.maydell@linaro.org> References: <1399995099-26635-1-git-send-email-peter.maydell@linaro.org> X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:8b0:1d0::1 Cc: qemu-devel@nongnu.org Subject: [Qemu-devel] [PULL 03/17] hw/net/stellaris_enet: Restructure tx_fifo code to avoid buffer overrun X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: , List-Help: , List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: peter.maydell@linaro.org X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.220.171 as permitted sender) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org X-Google-Group-Id: 836684582541 The current tx_fifo code has a corner case where the guest can overrun the fifo buffer: if automatic CRCs are disabled we allow the guest to write the CRC word even if there isn't actually space for it in the FIFO. The datasheet is unclear about exactly how the hardware deals with this situation; the most plausible answer seems to be that the CRC word is just lost. Implement this fix by separating the "can we stuff another word in the FIFO" logic from the "should we transmit the packet now" check. This also moves us closer to the real hardware, which has a number of ways it can be configured to trigger sending the packet, some of which we don't implement. Signed-off-by: Peter Maydell Reviewed-by: Dr. David Alan Gilbert Cc: qemu-stable@nongnu.org --- hw/net/stellaris_enet.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c index d04e6a4..bd844cd 100644 --- a/hw/net/stellaris_enet.c +++ b/hw/net/stellaris_enet.c @@ -253,10 +253,12 @@ static void stellaris_enet_write(void *opaque, hwaddr offset, s->tx_fifo[s->tx_fifo_len++] = value >> 24; } } else { - s->tx_fifo[s->tx_fifo_len++] = value; - s->tx_fifo[s->tx_fifo_len++] = value >> 8; - s->tx_fifo[s->tx_fifo_len++] = value >> 16; - s->tx_fifo[s->tx_fifo_len++] = value >> 24; + if (s->tx_fifo_len + 4 <= ARRAY_SIZE(s->tx_fifo)) { + s->tx_fifo[s->tx_fifo_len++] = value; + s->tx_fifo[s->tx_fifo_len++] = value >> 8; + s->tx_fifo[s->tx_fifo_len++] = value >> 16; + s->tx_fifo[s->tx_fifo_len++] = value >> 24; + } if (s->tx_fifo_len >= s->tx_frame_len) { /* We don't implement explicit CRC, so just chop it off. */ if ((s->tctl & SE_TCTL_CRC) == 0)