* [Qemu-devel] [PATCH 0/2] net: pcnet: fix infinite loop and source format
@ 2016-09-29 18:57 P J P
2016-09-29 18:57 ` [Qemu-devel] [PATCH 1/2] net: pcnet: check rx/tx descriptor ring length P J P
` (2 more replies)
0 siblings, 3 replies; 9+ messages in thread
From: P J P @ 2016-09-29 18:57 UTC (permalink / raw)
To: Qemu Developers; +Cc: Li Qiang, Jason Wang, Prasad J Pandit
From: Prasad J Pandit <pjp@fedoraproject.org>
Hello,
An infinite loop issue in 'pcnet_rdra_addr' routine, caused by zero
receive/transmit descriptor ring length value, was reported by
Mr Li Qiang. One of the patches below fixes this issue. And the other
one corrects indentation and source formatting glitches.
Thank you.
Prasad J Pandit (2):
net: pcnet: check rx/tx descriptor ring length
net: pcnet: fix source formatting and indentation
hw/net/pcnet.c | 125 ++++++++++++++++++++++++++++++---------------------------
1 file changed, 66 insertions(+), 59 deletions(-)
--
2.5.5
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Qemu-devel] [PATCH 1/2] net: pcnet: check rx/tx descriptor ring length
2016-09-29 18:57 [Qemu-devel] [PATCH 0/2] net: pcnet: fix infinite loop and source format P J P
@ 2016-09-29 18:57 ` P J P
2016-09-30 3:06 ` Jason Wang
2016-09-29 18:57 ` [Qemu-devel] [PATCH 2/2] net: pcnet: fix source formatting and indentation P J P
2016-09-29 19:08 ` [Qemu-devel] [PATCH 0/2] net: pcnet: fix infinite loop and source format no-reply
2 siblings, 1 reply; 9+ messages in thread
From: P J P @ 2016-09-29 18:57 UTC (permalink / raw)
To: Qemu Developers; +Cc: Li Qiang, Jason Wang, Prasad J Pandit
From: Prasad J Pandit <pjp@fedoraproject.org>
The AMD PC-Net II emulator has set of control and status(CSR)
registers. Of these, CSR76 and CSR78 hold receive and transmit
descriptor ring length respectively. This ring length could range
from 1 to 65535. Setting ring length to zero leads to an infinite
loop in pcnet_rdra_addr. Add check to avoid it.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
hw/net/pcnet.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
index 198a01f..3078de8 100644
--- a/hw/net/pcnet.c
+++ b/hw/net/pcnet.c
@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value)
case 47: /* POLLINT */
case 72:
case 74:
+ break;
case 76: /* RCVRL */
case 78: /* XMTRL */
+ val = (val > 0) ? val : 512;
+ break;
case 112:
if (CSR_STOP(s) || CSR_SPND(s))
break;
--
2.5.5
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [Qemu-devel] [PATCH 2/2] net: pcnet: fix source formatting and indentation
2016-09-29 18:57 [Qemu-devel] [PATCH 0/2] net: pcnet: fix infinite loop and source format P J P
2016-09-29 18:57 ` [Qemu-devel] [PATCH 1/2] net: pcnet: check rx/tx descriptor ring length P J P
@ 2016-09-29 18:57 ` P J P
2016-09-30 3:08 ` Jason Wang
2016-09-29 19:08 ` [Qemu-devel] [PATCH 0/2] net: pcnet: fix infinite loop and source format no-reply
2 siblings, 1 reply; 9+ messages in thread
From: P J P @ 2016-09-29 18:57 UTC (permalink / raw)
To: Qemu Developers; +Cc: Li Qiang, Jason Wang, Prasad J Pandit
From: Prasad J Pandit <pjp@fedoraproject.org>
Fix indentations and source format at few places. Add braces
around few 'if' and 'while' statements.
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
hw/net/pcnet.c | 122 +++++++++++++++++++++++++++++----------------------------
1 file changed, 63 insertions(+), 59 deletions(-)
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
index 3078de8..66d077d 100644
--- a/hw/net/pcnet.c
+++ b/hw/net/pcnet.c
@@ -302,7 +302,7 @@ static inline void pcnet_tmd_load(PCNetState *s, struct pcnet_TMD *tmd,
uint32_t tbadr;
int16_t length;
int16_t status;
- } xda;
+ } xda;
s->phys_mem_read(s->dma_opaque, addr, (void *)&xda, sizeof(xda), 0);
tmd->tbadr = le32_to_cpu(xda.tbadr) & 0xffffff;
tmd->length = le16_to_cpu(xda.length);
@@ -664,7 +664,9 @@ static inline int ladr_match(PCNetState *s, const uint8_t *buf, int size)
static inline hwaddr pcnet_rdra_addr(PCNetState *s, int idx)
{
- while (idx < 1) idx += CSR_RCVRL(s);
+ while (idx < 1) {
+ idx += CSR_RCVRL(s);
+ }
return s->rdra + ((CSR_RCVRL(s) - idx) * (BCR_SWSTYLE(s) ? 16 : 8));
}
@@ -672,8 +674,10 @@ static inline int64_t pcnet_get_next_poll_time(PCNetState *s, int64_t current_ti
{
int64_t next_time = current_time +
(65536 - (CSR_SPND(s) ? 0 : CSR_POLL(s))) * 30;
- if (next_time <= current_time)
+
+ if (next_time <= current_time) {
next_time = current_time + 1;
+ }
return next_time;
}
@@ -795,13 +799,13 @@ static void pcnet_init(PCNetState *s)
mode = le16_to_cpu(initblk.mode);
rlen = initblk.rlen >> 4;
tlen = initblk.tlen >> 4;
- ladrf[0] = le16_to_cpu(initblk.ladrf[0]);
- ladrf[1] = le16_to_cpu(initblk.ladrf[1]);
- ladrf[2] = le16_to_cpu(initblk.ladrf[2]);
- ladrf[3] = le16_to_cpu(initblk.ladrf[3]);
- padr[0] = le16_to_cpu(initblk.padr[0]);
- padr[1] = le16_to_cpu(initblk.padr[1]);
- padr[2] = le16_to_cpu(initblk.padr[2]);
+ ladrf[0] = le16_to_cpu(initblk.ladrf[0]);
+ ladrf[1] = le16_to_cpu(initblk.ladrf[1]);
+ ladrf[2] = le16_to_cpu(initblk.ladrf[2]);
+ ladrf[3] = le16_to_cpu(initblk.ladrf[3]);
+ padr[0] = le16_to_cpu(initblk.padr[0]);
+ padr[1] = le16_to_cpu(initblk.padr[1]);
+ padr[2] = le16_to_cpu(initblk.padr[2]);
rdra = le32_to_cpu(initblk.rdra);
tdra = le32_to_cpu(initblk.tdra);
} else {
@@ -809,13 +813,13 @@ static void pcnet_init(PCNetState *s)
s->phys_mem_read(s->dma_opaque, PHYSADDR(s,CSR_IADR(s)),
(uint8_t *)&initblk, sizeof(initblk), 0);
mode = le16_to_cpu(initblk.mode);
- ladrf[0] = le16_to_cpu(initblk.ladrf[0]);
- ladrf[1] = le16_to_cpu(initblk.ladrf[1]);
- ladrf[2] = le16_to_cpu(initblk.ladrf[2]);
- ladrf[3] = le16_to_cpu(initblk.ladrf[3]);
- padr[0] = le16_to_cpu(initblk.padr[0]);
- padr[1] = le16_to_cpu(initblk.padr[1]);
- padr[2] = le16_to_cpu(initblk.padr[2]);
+ ladrf[0] = le16_to_cpu(initblk.ladrf[0]);
+ ladrf[1] = le16_to_cpu(initblk.ladrf[1]);
+ ladrf[2] = le16_to_cpu(initblk.ladrf[2]);
+ ladrf[3] = le16_to_cpu(initblk.ladrf[3]);
+ padr[0] = le16_to_cpu(initblk.padr[0]);
+ padr[1] = le16_to_cpu(initblk.padr[1]);
+ padr[2] = le16_to_cpu(initblk.padr[2]);
rdra = le32_to_cpu(initblk.rdra);
tdra = le32_to_cpu(initblk.tdra);
rlen = rdra >> 29;
@@ -858,12 +862,12 @@ static void pcnet_start(PCNetState *s)
printf("pcnet_start\n");
#endif
- if (!CSR_DTX(s))
+ if (!CSR_DTX(s)) {
s->csr[0] |= 0x0010; /* set TXON */
-
- if (!CSR_DRX(s))
+ }
+ if (!CSR_DRX(s)) {
s->csr[0] |= 0x0020; /* set RXON */
-
+ }
s->csr[0] &= ~0x0004; /* clear STOP bit */
s->csr[0] |= 0x0002;
pcnet_poll_timer(s);
@@ -925,8 +929,7 @@ static void pcnet_rdte_poll(PCNetState *s)
crda);
}
} else {
- printf("pcnet: BAD RMD RDA=0x" TARGET_FMT_plx "\n",
- crda);
+ printf("pcnet: BAD RMD RDA=0x" TARGET_FMT_plx "\n", crda);
#endif
}
}
@@ -1168,10 +1171,11 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
#endif
while (pktcount--) {
- if (CSR_RCVRC(s) <= 1)
+ if (CSR_RCVRC(s) <= 1) {
CSR_RCVRC(s) = CSR_RCVRL(s);
- else
+ } else {
CSR_RCVRC(s)--;
+ }
}
pcnet_rdte_poll(s);
@@ -1207,7 +1211,7 @@ static void pcnet_transmit(PCNetState *s)
s->tx_busy = 1;
- txagain:
+txagain:
if (pcnet_tdte_poll(s)) {
struct pcnet_TMD tmd;
@@ -1251,7 +1255,7 @@ static void pcnet_transmit(PCNetState *s)
s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
s->xmit_pos += bcnt;
-
+
if (!GET_FIELD(tmd.status, TMDS, ENP)) {
goto txdone;
}
@@ -1276,21 +1280,22 @@ static void pcnet_transmit(PCNetState *s)
s->csr[4] |= 0x0004; /* set TXSTRT */
s->xmit_pos = -1;
- txdone:
+txdone:
SET_FIELD(&tmd.status, TMDS, OWN, 0);
TMDSTORE(&tmd, PHYSADDR(s,CSR_CXDA(s)));
- if (!CSR_TOKINTD(s) || (CSR_LTINTEN(s) && GET_FIELD(tmd.status, TMDS, LTINT)))
+ if (!CSR_TOKINTD(s)
+ || (CSR_LTINTEN(s) && GET_FIELD(tmd.status, TMDS, LTINT))) {
s->csr[0] |= 0x0200; /* set TINT */
-
- if (CSR_XMTRC(s)<=1)
+ }
+ if (CSR_XMTRC(s)<=1) {
CSR_XMTRC(s) = CSR_XMTRL(s);
- else
+ } else {
CSR_XMTRC(s)--;
- if (count--)
+ }
+ if (count--) {
goto txagain;
-
- } else
- if (s->xmit_pos >= 0) {
+ }
+ } else if (s->xmit_pos >= 0) {
struct pcnet_TMD tmd;
TMDLOAD(&tmd, xmit_cxda);
SET_FIELD(&tmd.misc, TMDM, BUFF, 1);
@@ -1301,9 +1306,9 @@ static void pcnet_transmit(PCNetState *s)
s->csr[0] |= 0x0200; /* set TINT */
if (!CSR_DXSUFLO(s)) {
s->csr[0] &= ~0x0010;
- } else
- if (count--)
+ } else if (count--) {
goto txagain;
+ }
}
s->tx_busy = 0;
@@ -1315,13 +1320,11 @@ static void pcnet_poll(PCNetState *s)
pcnet_rdte_poll(s);
}
- if (CSR_TDMD(s) ||
- (CSR_TXON(s) && !CSR_DPOLL(s) && pcnet_tdte_poll(s)))
- {
+ if (CSR_TDMD(s) || (CSR_TXON(s) && !CSR_DPOLL(s) && pcnet_tdte_poll(s))) {
/* prevent recursion */
- if (s->tx_busy)
+ if (s->tx_busy) {
return;
-
+ }
pcnet_transmit(s);
}
}
@@ -1340,15 +1343,16 @@ static void pcnet_poll_timer(void *opaque)
if (!CSR_STOP(s) && !CSR_SPND(s) && !CSR_DPOLL(s)) {
uint64_t now = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) * 33;
- if (!s->timer || !now)
+ if (!s->timer || !now) {
s->timer = now;
- else {
+ } else {
uint64_t t = now - s->timer + CSR_POLL(s);
if (t > 0xffffLL) {
pcnet_poll(s);
CSR_POLL(s) = CSR_PINT(s);
- } else
+ } else {
CSR_POLL(s) = t;
+ }
}
timer_mod(s->poll_timer,
pcnet_get_next_poll_time(s,qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)));
@@ -1371,21 +1375,21 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value)
val = (val & 0x007f) | (s->csr[0] & 0x7f00);
/* IFF STOP, STRT and INIT are set, clear STRT and INIT */
- if ((val&7) == 7)
+ if ((val&7) == 7) {
val &= ~3;
-
- if (!CSR_STOP(s) && (val & 4))
+ }
+ if (!CSR_STOP(s) && (val & 4)) {
pcnet_stop(s);
-
- if (!CSR_INIT(s) && (val & 1))
+ }
+ if (!CSR_INIT(s) && (val & 1)) {
pcnet_init(s);
-
- if (!CSR_STRT(s) && (val & 2))
+ }
+ if (!CSR_STRT(s) && (val & 2)) {
pcnet_start(s);
-
- if (CSR_TDMD(s))
+ }
+ if (CSR_TDMD(s)) {
pcnet_transmit(s);
-
+ }
return;
case 1:
case 2:
@@ -1435,8 +1439,9 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value)
val = (val > 0) ? val : 512;
break;
case 112:
- if (CSR_STOP(s) || CSR_SPND(s))
+ if (CSR_STOP(s) || CSR_SPND(s)) {
break;
+ }
return;
case 3:
break;
@@ -1654,8 +1659,7 @@ void pcnet_ioport_writel(void *opaque, uint32_t addr, uint32_t val)
pcnet_bcr_writew(s, s->rap, val & 0xffff);
break;
}
- } else
- if ((addr & 0x0f) == 0) {
+ } else if ((addr & 0x0f) == 0) {
/* switch device to dword i/o mode */
pcnet_bcr_writew(s, BCR_BSBC, pcnet_bcr_readw(s, BCR_BSBC) | 0x0080);
#ifdef PCNET_DEBUG_IO
--
2.5.5
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [Qemu-devel] [PATCH 0/2] net: pcnet: fix infinite loop and source format
2016-09-29 18:57 [Qemu-devel] [PATCH 0/2] net: pcnet: fix infinite loop and source format P J P
2016-09-29 18:57 ` [Qemu-devel] [PATCH 1/2] net: pcnet: check rx/tx descriptor ring length P J P
2016-09-29 18:57 ` [Qemu-devel] [PATCH 2/2] net: pcnet: fix source formatting and indentation P J P
@ 2016-09-29 19:08 ` no-reply
2 siblings, 0 replies; 9+ messages in thread
From: no-reply @ 2016-09-29 19:08 UTC (permalink / raw)
To: ppandit; +Cc: famz, qemu-devel, jasowang, liqiang6-s, pjp
Hi,
Your series seems to have some coding style problems. See output below for
more information:
Type: series
Message-id: 1475175454-3116-1-git-send-email-ppandit@redhat.com
Subject: [Qemu-devel] [PATCH 0/2] net: pcnet: fix infinite loop and source format
=== TEST SCRIPT BEGIN ===
#!/bin/bash
BASE=base
n=1
total=$(git log --oneline $BASE.. | wc -l)
failed=0
# Useful git options
git config --local diff.renamelimit 0
git config --local diff.renames True
commits="$(git log --format=%H --reverse $BASE..)"
for c in $commits; do
echo "Checking PATCH $n/$total: $(git show --no-patch --format=%s $c)..."
if ! git show $c --format=email | ./scripts/checkpatch.pl --mailback -; then
failed=1
echo
fi
n=$((n+1))
done
exit $failed
=== TEST SCRIPT END ===
Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
Switched to a new branch 'test'
aa6ffbb net: pcnet: fix source formatting and indentation
71981b1 net: pcnet: check rx/tx descriptor ring length
=== OUTPUT BEGIN ===
Checking PATCH 1/2: net: pcnet: check rx/tx descriptor ring length...
Checking PATCH 2/2: net: pcnet: fix source formatting and indentation...
ERROR: spaces required around that '<=' (ctx:VxV)
#164: FILE: hw/net/pcnet.c:1290:
+ if (CSR_XMTRC(s)<=1) {
^
ERROR: suspect code indent for conditional statements (8, 10)
#187: FILE: hw/net/pcnet.c:1309:
+ } else if (count--) {
goto txagain;
ERROR: suspect code indent for conditional statements (8, 10)
#235: FILE: hw/net/pcnet.c:1378:
+ if ((val&7) == 7) {
val &= ~3;
ERROR: spaces required around that '&' (ctx:VxV)
#235: FILE: hw/net/pcnet.c:1378:
+ if ((val&7) == 7) {
^
ERROR: suspect code indent for conditional statements (7, 11)
#267: FILE: hw/net/pcnet.c:1442:
+ if (CSR_STOP(s) || CSR_SPND(s)) {
break;
total: 5 errors, 0 warnings, 250 lines checked
Your patch has style problems, please review. If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
=== OUTPUT END ===
Test command exited with code: 1
---
Email generated automatically by Patchew [http://patchew.org/].
Please send your feedback to patchew-devel@freelists.org
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Qemu-devel] [PATCH 1/2] net: pcnet: check rx/tx descriptor ring length
2016-09-29 18:57 ` [Qemu-devel] [PATCH 1/2] net: pcnet: check rx/tx descriptor ring length P J P
@ 2016-09-30 3:06 ` Jason Wang
2016-09-30 5:36 ` P J P
0 siblings, 1 reply; 9+ messages in thread
From: Jason Wang @ 2016-09-30 3:06 UTC (permalink / raw)
To: P J P, Qemu Developers; +Cc: Li Qiang, Prasad J Pandit
On 2016年09月30日 02:57, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> The AMD PC-Net II emulator has set of control and status(CSR)
> registers. Of these, CSR76 and CSR78 hold receive and transmit
> descriptor ring length respectively. This ring length could range
> from 1 to 65535. Setting ring length to zero leads to an infinite
> loop in pcnet_rdra_addr. Add check to avoid it.
In this case, we only need to protect RCVRL I believe? (since XMTRL were
not used).
>
> Reported-by: Li Qiang <liqiang6-s@360.cn>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> hw/net/pcnet.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
> index 198a01f..3078de8 100644
> --- a/hw/net/pcnet.c
> +++ b/hw/net/pcnet.c
> @@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value)
> case 47: /* POLLINT */
> case 72:
> case 74:
> + break;
> case 76: /* RCVRL */
> case 78: /* XMTRL */
> + val = (val > 0) ? val : 512;
> + break;
> case 112:
> if (CSR_STOP(s) || CSR_SPND(s))
> break;
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Qemu-devel] [PATCH 2/2] net: pcnet: fix source formatting and indentation
2016-09-29 18:57 ` [Qemu-devel] [PATCH 2/2] net: pcnet: fix source formatting and indentation P J P
@ 2016-09-30 3:08 ` Jason Wang
2016-09-30 6:50 ` P J P
0 siblings, 1 reply; 9+ messages in thread
From: Jason Wang @ 2016-09-30 3:08 UTC (permalink / raw)
To: P J P, Qemu Developers; +Cc: Li Qiang, Prasad J Pandit
On 2016年09月30日 02:57, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> Fix indentations and source format at few places. Add braces
> around few 'if' and 'while' statements.
>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Thanks but there're still several other places that needs to be fixed
were reported by robot.
Please fix them too.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Qemu-devel] [PATCH 1/2] net: pcnet: check rx/tx descriptor ring length
2016-09-30 3:06 ` Jason Wang
@ 2016-09-30 5:36 ` P J P
2016-10-20 2:03 ` Jason Wang
0 siblings, 1 reply; 9+ messages in thread
From: P J P @ 2016-09-30 5:36 UTC (permalink / raw)
To: Jason Wang; +Cc: Qemu Developers, Li Qiang
Hello Jason,
+-- On Fri, 30 Sep 2016, Jason Wang wrote --+
| On 2016年09月30日 02:57, P J P wrote:
| > The AMD PC-Net II emulator has set of control and status(CSR)
| > registers. Of these, CSR76 and CSR78 hold receive and transmit
| > descriptor ring length respectively. This ring length could range
| > from 1 to 65535. Setting ring length to zero leads to an infinite
| > loop in pcnet_rdra_addr. Add check to avoid it.
|
| In this case, we only need to protect RCVRL I believe? (since XMTRL were not
| used).
XMTRL is not used in this case, but could be prone to similar issues. For
ex.
static void pcnet_transmit(PCNetState *s)
{
int count = CSR_XMTRL(s) - 1;
...
if (count--)
goto txagain;
}
If CSR_XMTRL is set to zero(0), 'count' would never reach zero and function
would continue to jump to 'txagain'.
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Qemu-devel] [PATCH 2/2] net: pcnet: fix source formatting and indentation
2016-09-30 3:08 ` Jason Wang
@ 2016-09-30 6:50 ` P J P
0 siblings, 0 replies; 9+ messages in thread
From: P J P @ 2016-09-30 6:50 UTC (permalink / raw)
To: Jason Wang; +Cc: Qemu Developers, Li Qiang
+-- On Fri, 30 Sep 2016, Jason Wang wrote --+
| Thanks but there're still several other places that needs to be fixed were
| reported by robot.
|
| Please fix them too.
Done. Sent a revised patch v2.
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Qemu-devel] [PATCH 1/2] net: pcnet: check rx/tx descriptor ring length
2016-09-30 5:36 ` P J P
@ 2016-10-20 2:03 ` Jason Wang
0 siblings, 0 replies; 9+ messages in thread
From: Jason Wang @ 2016-10-20 2:03 UTC (permalink / raw)
To: P J P; +Cc: Li Qiang, Qemu Developers
On 2016年09月30日 13:36, P J P wrote:
> Hello Jason,
>
> +-- On Fri, 30 Sep 2016, Jason Wang wrote --+
> | On 2016年09月30日 02:57, P J P wrote:
> | > The AMD PC-Net II emulator has set of control and status(CSR)
> | > registers. Of these, CSR76 and CSR78 hold receive and transmit
> | > descriptor ring length respectively. This ring length could range
> | > from 1 to 65535. Setting ring length to zero leads to an infinite
> | > loop in pcnet_rdra_addr. Add check to avoid it.
> |
> | In this case, we only need to protect RCVRL I believe? (since XMTRL were not
> | used).
>
> XMTRL is not used in this case, but could be prone to similar issues. For
> ex.
>
> static void pcnet_transmit(PCNetState *s)
> {
> int count = CSR_XMTRL(s) - 1;
> ...
> if (count--)
> goto txagain;
> }
>
> If CSR_XMTRL is set to zero(0), 'count' would never reach zero and function
> would continue to jump to 'txagain'.
Applied and tweak the commit log by mentioning pcnet_transmit() too.
Thanks
>
> Thank you.
> --
> Prasad J Pandit / Red Hat Product Security Team
> 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2016-10-20 2:03 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-09-29 18:57 [Qemu-devel] [PATCH 0/2] net: pcnet: fix infinite loop and source format P J P
2016-09-29 18:57 ` [Qemu-devel] [PATCH 1/2] net: pcnet: check rx/tx descriptor ring length P J P
2016-09-30 3:06 ` Jason Wang
2016-09-30 5:36 ` P J P
2016-10-20 2:03 ` Jason Wang
2016-09-29 18:57 ` [Qemu-devel] [PATCH 2/2] net: pcnet: fix source formatting and indentation P J P
2016-09-30 3:08 ` Jason Wang
2016-09-30 6:50 ` P J P
2016-09-29 19:08 ` [Qemu-devel] [PATCH 0/2] net: pcnet: fix infinite loop and source format no-reply
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.