From patchwork Thu Apr 18 17:49:37 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Tokarev X-Patchwork-Id: 789823 Delivered-To: patch@linaro.org Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp696577wrm; Thu, 18 Apr 2024 10:56:00 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXESXqLStbMg4llYm86cZs5xP21TynZjLyQAl5/Ov5sAfD0s22YROlTWQyGYMzPnxNm1pS+CJ6ZNwyzRuVpWueB X-Google-Smtp-Source: AGHT+IHpFHnMT0HyWeuat/D6ya+cal38vPEOK7vUYypCG8nO9mH2D0fhk4jC6NbKMi6+vnvlYDEu X-Received: by 2002:ac8:57cb:0:b0:437:b502:d912 with SMTP id w11-20020ac857cb000000b00437b502d912mr1253880qta.29.1713462960040; Thu, 18 Apr 2024 10:56:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713462960; cv=none; d=google.com; s=arc-20160816; b=ffUmHyW1i8HKGTS3ZxZ7LG7VXCLlor03b0jXzWDTEvPTRUH9mKB9XvyflbFLcnvtNb XD0lDk57ezifHANSxMhfPjZa1lFLfQwOxcPyg+8VRae0juMT/Zu78byX2c3ZFJkMBEwF 7bmkQP2kAvaRXvRuHnHaK0cEhArTrJAFun/n+qWqMV+nhorDVY2istQAO4bV6U3amMPS hwhxbG7kOOG7zqgrlqXj/eWRqgg1v4PVjXvCVfkbPsV5sy9L+sAy0GyaBZIGgWDwjBeO fXjOhT0gf/jwXLFQRReyJCtEoYs9zRVfNL5LShzgbzuExWgO1ywmpXs7JqD9AH6n9KEj M8ZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from; bh=B+MajSl/WjMVKTSOLM09vsQXiCk6KMeFKbKfLJOUnbE=; fh=yKfcvcrg+Er+B+I7T0P1R4USoSs/nf8gXvBTFGEIYPs=; b=NFduwxGotD22YQ2rrustaaHxawBWeDYRx/BJ1GZfyLGsGI/RUl5Mkz3ekZhOgUWkAj C/5wxYR6zl6buKPy62e+xVOCzE7qlO8QAfMku1V7DI5yFRmZOiykaL/g8tQ2go7EhjJz KDxdEq2KyF8kzSUIXHoaZtJWoYCFZ/w1HOPej2pVGK4xUTEwcosGiuhn7jNWR6xNxkrk r32pRkiJ1TZYgkx0kKvMu3Nox+xl6Ccrl1zlOuaN/I+MBaM6XsYptSQJbB1U8pjlmIZR IVB+QnsDNjaZqaHfkjUk4dgpOiF9bYrK8X52NqXIcZE4ZUIXq4x6ICsbv6vfXq2k0g+b xW7Q==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id bb26-20020a05622a1b1a00b00437b776d4f8si555069qtb.731.2024.04.18.10.55.59 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 18 Apr 2024 10:56:00 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rxVvA-0002f1-EX; Thu, 18 Apr 2024 13:51:40 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVv8-0002UP-Bl; Thu, 18 Apr 2024 13:51:38 -0400 Received: from isrv.corpit.ru ([86.62.121.231]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVv6-0007f9-E7; Thu, 18 Apr 2024 13:51:38 -0400 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id F1C835FD74; Thu, 18 Apr 2024 20:50:03 +0300 (MSK) Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130]) by tsrv.corpit.ru (Postfix) with SMTP id 5F98DB934E; Thu, 18 Apr 2024 20:50:01 +0300 (MSK) Received: (nullmailer pid 947863 invoked by uid 1000); Thu, 18 Apr 2024 17:49:55 -0000 From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Chuhong Yuan , Peter Maydell , Michael Tokarev Subject: [Stable-8.2.3 107/116] hw/net/lan9118: Fix overflow in MIL TX FIFO Date: Thu, 18 Apr 2024 20:49:37 +0300 Message-Id: <20240418174955.947730-20-mjt@tls.msk.ru> X-Mailer: git-send-email 2.39.2 In-Reply-To: References: MIME-Version: 1.0 Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -68 X-Spam_score: -6.9 X-Spam_bar: ------ X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Philippe Mathieu-Daudé When the MAC Interface Layer (MIL) transmit FIFO is full, truncate the packet, and raise the Transmitter Error (TXE) flag. Broken since model introduction in commit 2a42499017 ("LAN9118 emulation"). When using the reproducer from https://gitlab.com/qemu-project/qemu/-/issues/2267 we get: hw/net/lan9118.c:798:17: runtime error: index 2048 out of bounds for type 'uint8_t[2048]' (aka 'unsigned char[2048]')     #0 0x563ec9a057b1 in tx_fifo_push hw/net/lan9118.c:798:43     #1 0x563ec99fbb28 in lan9118_writel hw/net/lan9118.c:1042:9     #2 0x563ec99f2de2 in lan9118_16bit_mode_write hw/net/lan9118.c:1205:9     #3 0x563ecbf78013 in memory_region_write_accessor system/memory.c:497:5     #4 0x563ecbf776f5 in access_with_adjusted_size system/memory.c:573:18     #5 0x563ecbf75643 in memory_region_dispatch_write system/memory.c:1521:16     #6 0x563ecc01bade in flatview_write_continue_step system/physmem.c:2713:18     #7 0x563ecc01b374 in flatview_write_continue system/physmem.c:2743:19     #8 0x563ecbff1c9b in flatview_write system/physmem.c:2774:12     #9 0x563ecbff1768 in address_space_write system/physmem.c:2894:18 ... [*] LAN9118 DS00002266B.pdf, Table 5.3.3 "INTERRUPT STATUS REGISTER" Cc: qemu-stable@nongnu.org Reported-by: Will Lester Reported-by: Chuhong Yuan Suggested-by: Peter Maydell Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2267 Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Peter Maydell Message-Id: <20240409133801.23503-3-philmd@linaro.org> (cherry picked from commit ad766d603f39888309cfb1433ba2de1d0e9e4f58) Signed-off-by: Michael Tokarev diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c index f0a8a3fa10..4b081cc827 100644 --- a/hw/net/lan9118.c +++ b/hw/net/lan9118.c @@ -799,8 +799,22 @@ static void tx_fifo_push(lan9118_state *s, uint32_t val) /* Documentation is somewhat unclear on the ordering of bytes in FIFO words. Empirical results show it to be little-endian. */ - /* TODO: FIFO overflow checking. */ while (n--) { + if (s->txp->len == MIL_TXFIFO_SIZE) { + /* + * No more space in the FIFO. The datasheet is not + * precise about this case. We choose what is easiest + * to model: the packet is truncated, and TXE is raised. + * + * Note, it could be a fragmented packet, but we currently + * do not handle that (see earlier TX_B case). + */ + qemu_log_mask(LOG_GUEST_ERROR, + "MIL TX FIFO overrun, discarding %u byte%s\n", + n, n > 1 ? "s" : ""); + s->int_sts |= TXE_INT; + break; + } s->txp->data[s->txp->len] = val & 0xff; s->txp->len++; val >>= 8;