From patchwork Fri Feb 21 17:49:40 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Michael Tokarev <mjt@tls.msk.ru>
X-Patchwork-Id: 867121
Delivered-To: patch@linaro.org
Received: by 2002:a5d:47cf:0:b0:38f:210b:807b with SMTP id o15csp482858wrc;
 Fri, 21 Feb 2025 09:53:10 -0800 (PST)
X-Forwarded-Encrypted: i=2;
 AJvYcCXQ83tMA2Se2GFkS+N7RsQGmCkn6oo+Fjto08Z3a4Itm5RnXu3Exz8XHNB9zVWuw6TEiHoYOg==@linaro.org
X-Google-Smtp-Source: AGHT+IGY2dbI/OlbVdu68hiJfUQUjfvwivmbdyxysjJWCLQfE46SqaW7DNPzD4UbyLN89i0RYOcF
X-Received: by 2002:a05:620a:4047:b0:7c0:c23b:23b4 with SMTP id
 af79cd13be357-7c0cf96fc8emr638749585a.53.1740160390516;
 Fri, 21 Feb 2025 09:53:10 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1740160390; cv=none;
 d=google.com; s=arc-20240605;
 b=PYsN20vr7b1KTatSDxyrgR+6+3QDF5cTCb+uJHfIc29PbpKT6xHczNVFyJhV9xGSQu
 XPZUoK6NxlWHRqOloX2oafrxTa/4DD2nsUxnFdihAET+jY/ufLAn6YDp1WNAIaTgZir8
 tH97fXb+afbOlI5vBLJrlpvm9jPjaY6oPj8RGsRSqu+LbgMPcvSkoaaoFu7E7f7g4gn+
 diJGhaMti/TisFl8BWKb4/bomSe2dQnlQ9jKMIGWi1r/bty6sdxCZvanGc5ZO+BA2/y4
 jcgyPdoK7YR+++6PWht2rIYv7HJkpY4g/nDuaYQea4JlLfNIeSRFna0XVLmsrcFilUN/
 fU+g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:content-transfer-encoding
 :mime-version:references:in-reply-to:message-id:date:subject:cc:to
 :from; bh=B4vcFezA68ncOm/ZIbvt0PIoWKPJOoUZ/zWTOEokbr4=;
 fh=He0A/96iGS/hdBTIvTFKPoE7yByjlEm52ubAJxr7bqo=;
 b=J6MsbET1tzzJoBtbWIZvhhD4AbfGADBkcuZxrS9ZG+RgFKueh0Vv3sSvy4YalHdtYo
 M9ZuKdhkSfu6ZpFaa07cONlsIjBigkKppkBAPg95KN0lhZVH0S7+/IMuhVm98LiRKzyu
 JSWN68R/6tltuZKBVi9NQWH1T1Oz6D9ycZpkkPlbE4HAJAZdZ+WPr4JZ8KUrGD9tBGDC
 9gizDcwhHz8EngRplvv/xkhKclbD7XSFp832n2Gx2v7u4JROtCmj7unN+TF8Q+Zlq2uE
 3z4zga6S7vJxQhqZVX6rG9ma3PK5/jKSRLB8oGNL9nNQLPdXhMGXnA82mvAKJAsmoJqR
 Yhag==; dara=google.com
ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Return-Path: <qemu-devel-bounces+patch=linaro.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17])
 by mx.google.com with ESMTPS id
 af79cd13be357-7c0adf5d380si723614385a.532.2025.02.21.09.53.10
 for <patch@linaro.org>
 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
 Fri, 21 Feb 2025 09:53:10 -0800 (PST)
Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender) client-ip=209.51.188.17;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Received: from localhost ([::1] helo=lists1p.gnu.org)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <qemu-devel-bounces@nongnu.org>)
 id 1tlXAQ-00011c-9U; Fri, 21 Feb 2025 12:50:26 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1tlXAC-0000yO-4t; Fri, 21 Feb 2025 12:50:12 -0500
Received: from isrv.corpit.ru ([86.62.121.231])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1tlXAA-0001pL-5V; Fri, 21 Feb 2025 12:50:11 -0500
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 4F00DEFB6D;
 Fri, 21 Feb 2025 20:49:31 +0300 (MSK)
Received: from gandalf.tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130])
 by tsrv.corpit.ru (Postfix) with ESMTP id 07CD81BB589;
 Fri, 21 Feb 2025 20:49:51 +0300 (MSK)
Received: by gandalf.tls.msk.ru (Postfix, from userid 1000)
 id E65A153F8D; Fri, 21 Feb 2025 20:49:50 +0300 (MSK)
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-9.2.2 10/14] hw/net/smc91c111: Ignore attempt to pop from
 empty RX fifo
Date: Fri, 21 Feb 2025 20:49:40 +0300
Message-Id: <20250221174949.836197-10-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.39.5
In-Reply-To: <qemu-stable-9.2.2-20250221204240@cover.tls.msk.ru>
References: <qemu-stable-9.2.2-20250221204240@cover.tls.msk.ru>
MIME-Version: 1.0
Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -68
X-Spam_score: -6.9
X-Spam_bar: ------
X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5,
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001,
 RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org

From: Peter Maydell <peter.maydell@linaro.org>

The SMC91C111 includes an MMU Command register which permits
the guest to remove entries from the RX FIFO. The datasheet
does not specify what happens if the guest tries to do this
when the FIFO is already empty; there are no status registers
containing error bits which might be applicable.

Currently we don't guard at all against pop of an empty
RX FIFO, with the result that we allow the guest to drive
the rx_fifo_len index to negative values, which will cause
smc91c111_receive() to write to the rx_fifo[] array out of
bounds when we receive the next packet.

Instead ignore attempts to pop an empty RX FIFO.

Cc: qemu-stable@nongnu.org
Fixes: 80337b66a8e7 ("NIC emulation for qemu arm-softmmu")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2780
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20250207151157.3151776-1-peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
(cherry picked from commit 937df81af6757638a7f1908747560dd342947213)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/net/smc91c111.c b/hw/net/smc91c111.c
index 180ba5c791..2a652885c9 100644
--- a/hw/net/smc91c111.c
+++ b/hw/net/smc91c111.c
@@ -182,6 +182,15 @@ static void smc91c111_pop_rx_fifo(smc91c111_state *s)
 {
     int i;
 
+    if (s->rx_fifo_len == 0) {
+        /*
+         * The datasheet doesn't document what the behaviour is if the
+         * guest tries to pop an empty RX FIFO, and there's no obvious
+         * error status register to report it. Just ignore the attempt.
+         */
+        return;
+    }
+
     s->rx_fifo_len--;
     if (s->rx_fifo_len) {
         for (i = 0; i < s->rx_fifo_len; i++)