From patchwork Mon Apr  8 10:51:49 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?=
 <philmd@linaro.org>
X-Patchwork-Id: 786903
Delivered-To: patch@linaro.org
Received: by 2002:a05:6000:1101:b0:343:f27d:c44e with SMTP id z1csp1277677wrw; 
 Mon, 8 Apr 2024 03:53:04 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCU//wMrF9O7C0ubBbVUuhg8U4CgndKpHoKvhg9VvzPHY35CgAsCoqqA8kMcaB1fR/x/ITHFs+CwD16Jpds/plJV
X-Google-Smtp-Source: AGHT+IHnMa6oE7etFwc3VyksWE9Bv1jZyQHB12ww1y9BRILyeCXq/HZyXR4k19XoYvdOMfLPNyHc
X-Received: by 2002:a25:800c:0:b0:dc7:4367:2527 with SMTP id
 m12-20020a25800c000000b00dc743672527mr6740513ybk.49.1712573584154;
 Mon, 08 Apr 2024 03:53:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1712573584; cv=none;
 d=google.com; s=arc-20160816;
 b=WrW5EIYt4UyKXwiyJptfCrv8k2MGUsPXrlo8Y/OXhKUAJE7e36tKqgMnmz048YKgYs
 NRfXrz5MPLKBYXn7RVZO6EXmzPZp8ysESSloGyU0wg7jO2qxCEFpApH23u0n/TGThx/n
 mTwAxDPyIiASgQ0hzn2Tk0MK5b2uIOMxMzz+X539dWFXtSH+5V7uDcXCHXMuf5leyhI9
 Mc6Ir8Ce/b+E2YNVvDC0FbJMCKGc4aUGzZpSjd4w+hKR5Yt2ac2qt1v3E87XOYmhRAQP
 RqloX02oJPEvtdORetSlUrXxR8aqfdQELCPWnaF/YPBAjCRtGy1EIt4sC/8Bz1GhtPGe
 Dpkw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:content-transfer-encoding
 :mime-version:references:in-reply-to:message-id:date:subject:cc:to
 :from:dkim-signature;
 bh=TGK9qftknixU9heZO350MkV2K3QN1Ehw0AuOxkZ5V7g=;
 fh=CAGssEFmw6LP010SIsD0fdm4FJghmjrwGLNmpcJ91r4=;
 b=xlIZlU3YJv6d9wWB+hezs3qq2nrlcc4ZBX1tJ/SGrSwiSPvbBBM0t8CmfjTEQYaKLd
 tqT4JVq+j+X7FtHAGqSiWUyp9z5S31CX75c3guwtKpQ/NSkViLQiF5f8l0kqOSzmgBCM
 MHB4/0+Uthxbqh+9sl1XqDfMLbnR24T6vw7q5WoqBYqvDw5NI+4huQT0R77uQBanlhWU
 PL7FJZs6sctoCjzR/JNv1wtPKdJRlqVtuK9KAMjgbFSrmDAJSRS6y/pOXb/KZka+MmTV
 g7WB3p8dZ4AE108m/d7yqIu2jh2F5ZhDIMusl6C4A84/tB96t0Mpvp7KmDfnZ9sQ1ndp
 1Eow==; dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=Ss3eciLo;
 spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org";
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <qemu-devel-bounces+patch=linaro.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17])
 by mx.google.com with ESMTPS id
 d14-20020a05622a05ce00b00432c2b07f73si8001815qtb.577.2024.04.08.03.53.04
 for <patch@linaro.org>
 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
 Mon, 08 Apr 2024 03:53:04 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender) client-ip=209.51.188.17;
Authentication-Results: mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=Ss3eciLo;
 spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org";
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: from localhost ([::1] helo=lists1p.gnu.org)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <qemu-devel-bounces@nongnu.org>)
 id 1rtmbi-0002sU-Ks; Mon, 08 Apr 2024 06:52:10 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <philmd@linaro.org>) id 1rtmbg-0002s8-Bm
 for qemu-devel@nongnu.org; Mon, 08 Apr 2024 06:52:08 -0400
Received: from mail-wm1-x32b.google.com ([2a00:1450:4864:20::32b])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <philmd@linaro.org>) id 1rtmbd-0007rW-Jt
 for qemu-devel@nongnu.org; Mon, 08 Apr 2024 06:52:08 -0400
Received: by mail-wm1-x32b.google.com with SMTP id
 5b1f17b1804b1-4166d58a71eso5353745e9.1
 for <qemu-devel@nongnu.org>; Mon, 08 Apr 2024 03:52:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=linaro.org; s=google; t=1712573523; x=1713178323; darn=nongnu.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=TGK9qftknixU9heZO350MkV2K3QN1Ehw0AuOxkZ5V7g=;
 b=Ss3eciLoqlmCl7g5mhOwqMCpsTC9n52vVcU83tD27d1YYCuNpVJ2RDViszBd9qztNF
 uKwy/8k85uw4/oXbMb/R8KiTvJRRGY5fT7mKucRNkuNPn3gfURU13sRrglkjgl7Okt4K
 jYNgeDDivuybgvmC1+IqfZ4X0WeRyrwly4/nkELSavi9Gyrg0d7ff+SmGIdoNF2Lo4mF
 5bh7xJ6WFfJ5Jg1I4tqMZ18sm7p5OMYFvRQdr2PPKhAXekDIHGGt/Y7stPMuCzz7xEN+
 nhvmjXu9E8qlHhGG2X8UgOjRSVt4LdGjc1C9L++P/nESkQuMRT6ARSqMEF4AfoPT3nFZ
 pEEA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1712573523; x=1713178323;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=TGK9qftknixU9heZO350MkV2K3QN1Ehw0AuOxkZ5V7g=;
 b=cVgJAOMuzSgHSZ/aOOH3WyivQ4c32liBSt4ynaICFwNk5fRcYPNCLuqRWCAChtK+MD
 fJ6hQPge38Y+H2C1amX0IlKWoJaDXpRAHHJZiiSOjs6cZRNMDeL/DIVWZe1i9x5IA6EK
 jBKpGux2Vhu3kogxQ78Int8ty4aBIo4d9OOEc152eubpP/ocGciQZZdwITYps2yZ/iV5
 GO8SdIsyEnCW3e4i+SfC7gC3KYc5TPKxeCHxOujG8WJwpVjweaFV6Vb3dLM10ABZZ1uM
 5FgGx1No6XPcf9ddlspKlodnKcYpg/fUQEZBBbVotloSaJRzB1Cflyfq//jd10zUTL5h
 ATBg==
X-Gm-Message-State: AOJu0Yy+8XaiGPAy/aPFZNYP1HMWS5iHjHYe3fYfgWMyCp96RuVUfIi2
 VEal7YgPGDW0ZYtdz9gKg+NeXGqcN0316+6kvSWACo9I6PdTnwCJGkFaupzAhrJlQvlRY+H8S20
 I
X-Received: by 2002:a05:600c:4f83:b0:416:5a88:4b49 with SMTP id
 n3-20020a05600c4f8300b004165a884b49mr2855420wmq.15.1712573523640;
 Mon, 08 Apr 2024 03:52:03 -0700 (PDT)
Received: from m1x-phil.lan ([176.176.144.67])
 by smtp.gmail.com with ESMTPSA id
 t8-20020a05600c450800b004147db8a91asm16599890wmo.40.2024.04.08.03.52.02
 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
 Mon, 08 Apr 2024 03:52:03 -0700 (PDT)
From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>
To: qemu-devel@nongnu.org
Cc: Jason Wang <jasowang@redhat.com>, Alexander Bulekov <alxndr@bu.edu>,
 qemu-arm@nongnu.org, Chuhong Yuan <hslester96@gmail.com>, =?utf-8?q?Philipp?=
 =?utf-8?q?e_Mathieu-Daud=C3=A9?= <philmd@linaro.org>
Subject: [PATCH-for-9.0? 2/2] hw/net/lan9118: Fix overflow in TX FIFO
Date: Mon,  8 Apr 2024 12:51:49 +0200
Message-ID: <20240408105149.59258-3-philmd@linaro.org>
X-Mailer: git-send-email 2.41.0
In-Reply-To: <20240408105149.59258-1-philmd@linaro.org>
References: <20240408105149.59258-1-philmd@linaro.org>
MIME-Version: 1.0
Received-SPF: pass client-ip=2a00:1450:4864:20::32b;
 envelope-from=philmd@linaro.org; helo=mail-wm1-x32b.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org

When the TX FIFO is full, raise the TX Status FIFO Overflow (TXSO)
flag, "Generated when the TX Status FIFO overflows" [*].

Broken since model introduction in commit 2a42499017
("LAN9118 emulation").

When using the reproducer from
https://gitlab.com/qemu-project/qemu/-/issues/2267 we get:

  hw/net/lan9118.c:798:17: runtime error:
  index 2048 out of bounds for type 'uint8_t[2048]' (aka 'unsigned char[2048]')
    #0 0x563ec9a057b1 in tx_fifo_push hw/net/lan9118.c:798:43
    #1 0x563ec99fbb28 in lan9118_writel hw/net/lan9118.c:1042:9
    #2 0x563ec99f2de2 in lan9118_16bit_mode_write hw/net/lan9118.c:1205:9
    #3 0x563ecbf78013 in memory_region_write_accessor system/memory.c:497:5
    #4 0x563ecbf776f5 in access_with_adjusted_size system/memory.c:573:18
    #5 0x563ecbf75643 in memory_region_dispatch_write system/memory.c:1521:16
    #6 0x563ecc01bade in flatview_write_continue_step system/physmem.c:2713:18
    #7 0x563ecc01b374 in flatview_write_continue system/physmem.c:2743:19
    #8 0x563ecbff1c9b in flatview_write system/physmem.c:2774:12
    #9 0x563ecbff1768 in address_space_write system/physmem.c:2894:18
    ...

[*] LAN9118 DS00002266B.pdf, Table 5.3.3 "INTERRUPT STATUS REGISTER"

Reported-by: Will Lester
Reported-by: Chuhong Yuan <hslester96@gmail.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2267
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 hw/net/lan9118.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c
index 7be0430ac5..7a1367b0bb 100644
--- a/hw/net/lan9118.c
+++ b/hw/net/lan9118.c
@@ -795,8 +795,11 @@ static void tx_fifo_push(lan9118_state *s, uint32_t val)
             /* Documentation is somewhat unclear on the ordering of bytes
                in FIFO words.  Empirical results show it to be little-endian.
                */
-            /* TODO: FIFO overflow checking.  */
             while (n--) {
+                if (s->txp->len == PKT_SIZE) {
+                    s->int_sts |= TXSO_INT;
+                    break;
+                }
                 s->txp->data[s->txp->len] = val & 0xff;
                 s->txp->len++;
                 val >>= 8;