[PATCH V4 00/10] Detect reentrant RX casued by loopback

[PATCH V4 00/10] Detect reentrant RX casued by loopback

[Jason Wang]

Hi All:

Followed by commit 22dc8663d9 ("net: forbid the reentrant RX"), we
still need to fix the issues casued by loopback mode where the NIC
usually it via calling nc->info->receive() directly.

The fix is to introduce new network helper and check the
queue->delivering.

This series addresses CVE-2021-3416.

Thanks

Changes since V3:
- clarify CVE number in the commit log
- ident fix

Changes since V2:
- add more fixes from Alexander

Changes since V1:

- Fix dp8393x compiling
- Add rtl8139 fix
- Tweak the commit log
- Silent patchew warning

Alexander Bulekov (4):
  rtl8139: switch to use qemu_receive_packet() for loopback
  pcnet: switch to use qemu_receive_packet() for loopback
  cadence_gem: switch to use qemu_receive_packet() for loopback
  lan9118: switch to use qemu_receive_packet() for loopback

Jason Wang (6):
  net: introduce qemu_receive_packet()
  e1000: switch to use qemu_receive_packet() for loopback
  dp8393x: switch to use qemu_receive_packet() for loopback packet
  msf2-mac: switch to use qemu_receive_packet() for loopback
  sungem: switch to use qemu_receive_packet() for loopback
  tx_pkt: switch to use qemu_receive_packet_iov() for loopback

 hw/net/cadence_gem.c |  4 ++--
 hw/net/dp8393x.c     |  2 +-
 hw/net/e1000.c       |  2 +-
 hw/net/lan9118.c     |  2 +-
 hw/net/msf2-emac.c   |  2 +-
 hw/net/net_tx_pkt.c  |  2 +-
 hw/net/pcnet.c       |  2 +-
 hw/net/rtl8139.c     |  2 +-
 hw/net/sungem.c      |  2 +-
 include/net/net.h    |  5 +++++
 include/net/queue.h  |  8 ++++++++
 net/net.c            | 38 +++++++++++++++++++++++++++++++-------
 net/queue.c          | 22 ++++++++++++++++++++++
 13 files changed, 76 insertions(+), 17 deletions(-)

-- 
2.24.3 (Apple Git-128)

[PATCH V4 01/10] net: introduce qemu_receive_packet()

[Jason Wang]

Some NIC supports loopback mode and this is done by calling
nc->info->receive() directly which in fact suppresses the effort of
reentrancy check that is done in qemu_net_queue_send().

Unfortunately we can't use qemu_net_queue_send() here since for
loopback there's no sender as peer, so this patch introduce a
qemu_receive_packet() which is used for implementing loopback mode
for a NIC with this check.

NIC that supports loopback mode will be converted to this helper.

This is intended to address CVE-2021-3416.

Cc: Prasad J Pandit <ppandit@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 include/net/net.h   |  5 +++++
 include/net/queue.h |  8 ++++++++
 net/net.c           | 38 +++++++++++++++++++++++++++++++-------
 net/queue.c         | 22 ++++++++++++++++++++++
 4 files changed, 66 insertions(+), 7 deletions(-)

diff --git a/include/net/net.h b/include/net/net.h
index 919facaad2..4f56cae0fa 100644
--- a/include/net/net.h
+++ b/include/net/net.h
@@ -144,12 +144,17 @@ void *qemu_get_nic_opaque(NetClientState *nc);
 void qemu_del_net_client(NetClientState *nc);
 typedef void (*qemu_nic_foreach)(NICState *nic, void *opaque);
 void qemu_foreach_nic(qemu_nic_foreach func, void *opaque);
+int qemu_can_receive_packet(NetClientState *nc);
 int qemu_can_send_packet(NetClientState *nc);
 ssize_t qemu_sendv_packet(NetClientState *nc, const struct iovec *iov,
                           int iovcnt);
 ssize_t qemu_sendv_packet_async(NetClientState *nc, const struct iovec *iov,
                                 int iovcnt, NetPacketSent *sent_cb);
 ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size);
+ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size);
+ssize_t qemu_receive_packet_iov(NetClientState *nc,
+                                const struct iovec *iov,
+                                int iovcnt);
 ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size);
 ssize_t qemu_send_packet_async(NetClientState *nc, const uint8_t *buf,
                                int size, NetPacketSent *sent_cb);
diff --git a/include/net/queue.h b/include/net/queue.h
index c0269bb1dc..9f2f289d77 100644
--- a/include/net/queue.h
+++ b/include/net/queue.h
@@ -55,6 +55,14 @@ void qemu_net_queue_append_iov(NetQueue *queue,
 
 void qemu_del_net_queue(NetQueue *queue);
 
+ssize_t qemu_net_queue_receive(NetQueue *queue,
+                               const uint8_t *data,
+                               size_t size);
+
+ssize_t qemu_net_queue_receive_iov(NetQueue *queue,
+                                   const struct iovec *iov,
+                                   int iovcnt);
+
 ssize_t qemu_net_queue_send(NetQueue *queue,
                             NetClientState *sender,
                             unsigned flags,
diff --git a/net/net.c b/net/net.c
index da4aa313be..d889487c0d 100644
--- a/net/net.c
+++ b/net/net.c
@@ -530,6 +530,17 @@ int qemu_set_vnet_be(NetClientState *nc, bool is_be)
 #endif
 }
 
+int qemu_can_receive_packet(NetClientState *nc)
+{
+    if (nc->receive_disabled) {
+        return 0;
+    } else if (nc->info->can_receive &&
+               !nc->info->can_receive(nc)) {
+        return 0;
+    }
+    return 1;
+}
+
 int qemu_can_send_packet(NetClientState *sender)
 {
     int vm_running = runstate_is_running();
@@ -542,13 +553,7 @@ int qemu_can_send_packet(NetClientState *sender)
         return 1;
     }
 
-    if (sender->peer->receive_disabled) {
-        return 0;
-    } else if (sender->peer->info->can_receive &&
-               !sender->peer->info->can_receive(sender->peer)) {
-        return 0;
-    }
-    return 1;
+    return qemu_can_receive_packet(sender->peer);
 }
 
 static ssize_t filter_receive_iov(NetClientState *nc,
@@ -681,6 +686,25 @@ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size)
     return qemu_send_packet_async(nc, buf, size, NULL);
 }
 
+ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size)
+{
+    if (!qemu_can_receive_packet(nc)) {
+        return 0;
+    }
+
+    return qemu_net_queue_receive(nc->incoming_queue, buf, size);
+}
+
+ssize_t qemu_receive_packet_iov(NetClientState *nc, const struct iovec *iov,
+                                int iovcnt)
+{
+    if (!qemu_can_receive_packet(nc)) {
+        return 0;
+    }
+
+    return qemu_net_queue_receive_iov(nc->incoming_queue, iov, iovcnt);
+}
+
 ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size)
 {
     return qemu_send_packet_async_with_flags(nc, QEMU_NET_PACKET_FLAG_RAW,
diff --git a/net/queue.c b/net/queue.c
index 19e32c80fd..c872d51df8 100644
--- a/net/queue.c
+++ b/net/queue.c
@@ -182,6 +182,28 @@ static ssize_t qemu_net_queue_deliver_iov(NetQueue *queue,
     return ret;
 }
 
+ssize_t qemu_net_queue_receive(NetQueue *queue,
+                               const uint8_t *data,
+                               size_t size)
+{
+    if (queue->delivering) {
+        return 0;
+    }
+
+    return qemu_net_queue_deliver(queue, NULL, 0, data, size);
+}
+
+ssize_t qemu_net_queue_receive_iov(NetQueue *queue,
+                                   const struct iovec *iov,
+                                   int iovcnt)
+{
+    if (queue->delivering) {
+        return 0;
+    }
+
+    return qemu_net_queue_deliver_iov(queue, NULL, 0, iov, iovcnt);
+}
+
 ssize_t qemu_net_queue_send(NetQueue *queue,
                             NetClientState *sender,
                             unsigned flags,
-- 
2.24.3 (Apple Git-128)

[PATCH V4 02/10] e1000: switch to use qemu_receive_packet() for loopback

[Jason Wang]

This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.

This is intended to address CVE-2021-3416.

Cc: Prasad J Pandit <ppandit@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 hw/net/e1000.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/net/e1000.c b/hw/net/e1000.c
index 4345d863e6..4f75b44cfc 100644
--- a/hw/net/e1000.c
+++ b/hw/net/e1000.c
@@ -546,7 +546,7 @@ e1000_send_packet(E1000State *s, const uint8_t *buf, int size)
 
     NetClientState *nc = qemu_get_queue(s->nic);
     if (s->phy_reg[PHY_CTRL] & MII_CR_LOOPBACK) {
-        nc->info->receive(nc, buf, size);
+        qemu_receive_packet(nc, buf, size);
     } else {
         qemu_send_packet(nc, buf, size);
     }
-- 
2.24.3 (Apple Git-128)

[PATCH V4 03/10] dp8393x: switch to use qemu_receive_packet() for loopback packet

[Jason Wang]

This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.

This is intended to address CVE-2021-3416.

Cc: Prasad J Pandit <ppandit@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 hw/net/dp8393x.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
index 205c0decc5..533a8304d0 100644
--- a/hw/net/dp8393x.c
+++ b/hw/net/dp8393x.c
@@ -506,7 +506,7 @@ static void dp8393x_do_transmit_packets(dp8393xState *s)
             s->regs[SONIC_TCR] |= SONIC_TCR_CRSL;
             if (nc->info->can_receive(nc)) {
                 s->loopback_packet = 1;
-                nc->info->receive(nc, s->tx_buffer, tx_len);
+                qemu_receive_packet(nc, s->tx_buffer, tx_len);
             }
         } else {
             /* Transmit packet */
-- 
2.24.3 (Apple Git-128)

[PATCH V4 04/10] msf2-mac: switch to use qemu_receive_packet() for loopback

[Jason Wang]

This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.

This is intended to address CVE-2021-3416.

Cc: Prasad J Pandit <ppandit@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 hw/net/msf2-emac.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/net/msf2-emac.c b/hw/net/msf2-emac.c
index 32ba9e8412..3e6206044f 100644
--- a/hw/net/msf2-emac.c
+++ b/hw/net/msf2-emac.c
@@ -158,7 +158,7 @@ static void msf2_dma_tx(MSF2EmacState *s)
          * R_CFG1 bit 0 is set.
          */
         if (s->regs[R_CFG1] & R_CFG1_LB_EN_MASK) {
-            nc->info->receive(nc, buf, size);
+            qemu_receive_packet(nc, buf, size);
         } else {
             qemu_send_packet(nc, buf, size);
         }
-- 
2.24.3 (Apple Git-128)

[PATCH V4 05/10] sungem: switch to use qemu_receive_packet() for loopback

[Jason Wang]

This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.

This is intended to address CVE-2021-3416.

Cc: Prasad J Pandit <ppandit@redhat.com>
Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 hw/net/sungem.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/net/sungem.c b/hw/net/sungem.c
index 33c3722df6..3684a4d733 100644
--- a/hw/net/sungem.c
+++ b/hw/net/sungem.c
@@ -306,7 +306,7 @@ static void sungem_send_packet(SunGEMState *s, const uint8_t *buf,
     NetClientState *nc = qemu_get_queue(s->nic);
 
     if (s->macregs[MAC_XIFCFG >> 2] & MAC_XIFCFG_LBCK) {
-        nc->info->receive(nc, buf, size);
+        qemu_receive_packet(nc, buf, size);
     } else {
         qemu_send_packet(nc, buf, size);
     }
-- 
2.24.3 (Apple Git-128)

[PATCH V4 06/10] tx_pkt: switch to use qemu_receive_packet_iov() for loopback

[Jason Wang]

This patch switches to use qemu_receive_receive_iov() which can detect
reentrancy and return early.

This is intended to address CVE-2021-3416.

Cc: Prasad J Pandit <ppandit@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 hw/net/net_tx_pkt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
index da262edc3e..1f9aa59eca 100644
--- a/hw/net/net_tx_pkt.c
+++ b/hw/net/net_tx_pkt.c
@@ -553,7 +553,7 @@ static inline void net_tx_pkt_sendv(struct NetTxPkt *pkt,
     NetClientState *nc, const struct iovec *iov, int iov_cnt)
 {
     if (pkt->is_loopback) {
-        nc->info->receive_iov(nc, iov, iov_cnt);
+        qemu_receive_packet_iov(nc, iov, iov_cnt);
     } else {
         qemu_sendv_packet(nc, iov, iov_cnt);
     }
-- 
2.24.3 (Apple Git-128)

[PATCH V4 07/10] rtl8139: switch to use qemu_receive_packet() for loopback

[Jason Wang]

From: Alexander Bulekov <alxndr@bu.edu>

This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.

This is intended to address CVE-2021-3416.

Cc: Prasad J Pandit <ppandit@redhat.com>
Buglink: https://bugs.launchpad.net/qemu/+bug/1910826
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 hw/net/rtl8139.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
index 4675ac878e..90b4fc63ce 100644
--- a/hw/net/rtl8139.c
+++ b/hw/net/rtl8139.c
@@ -1795,7 +1795,7 @@ static void rtl8139_transfer_frame(RTL8139State *s, uint8_t *buf, int size,
         }
 
         DPRINTF("+++ transmit loopback mode\n");
-        rtl8139_do_receive(qemu_get_queue(s->nic), buf, size, do_interrupt);
+        qemu_receive_packet(qemu_get_queue(s->nic), buf, size);
 
         if (iov) {
             g_free(buf2);
-- 
2.24.3 (Apple Git-128)

[PATCH V4 08/10] pcnet: switch to use qemu_receive_packet() for loopback

[Jason Wang]

From: Alexander Bulekov <alxndr@bu.edu>

This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.

This is intended to address CVE-2021-3416.

Cc: Prasad J Pandit <ppandit@redhat.com>
Buglink: https://bugs.launchpad.net/qemu/+bug/1917085
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 hw/net/pcnet.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
index f3f18d8598..dcd3fc4948 100644
--- a/hw/net/pcnet.c
+++ b/hw/net/pcnet.c
@@ -1250,7 +1250,7 @@ txagain:
             if (BCR_SWSTYLE(s) == 1)
                 add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS);
             s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC;
-            pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
+            qemu_receive_packet(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
             s->looptest = 0;
         } else {
             if (s->nic) {
-- 
2.24.3 (Apple Git-128)

[PATCH V4 09/10] cadence_gem: switch to use qemu_receive_packet() for loopback

[Jason Wang]

From: Alexander Bulekov <alxndr@bu.edu>

This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.

This is intended to address CVE-2021-3416.

Cc: Prasad J Pandit <ppandit@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 hw/net/cadence_gem.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
index 9a4474a084..24b3a0ff66 100644
--- a/hw/net/cadence_gem.c
+++ b/hw/net/cadence_gem.c
@@ -1275,8 +1275,8 @@ static void gem_transmit(CadenceGEMState *s)
                 /* Send the packet somewhere */
                 if (s->phy_loop || (s->regs[GEM_NWCTRL] &
                                     GEM_NWCTRL_LOCALLOOP)) {
-                    gem_receive(qemu_get_queue(s->nic), s->tx_packet,
-                                total_bytes);
+                    qemu_receive_packet(qemu_get_queue(s->nic), s->tx_packet,
+                                        total_bytes);
                 } else {
                     qemu_send_packet(qemu_get_queue(s->nic), s->tx_packet,
                                      total_bytes);
-- 
2.24.3 (Apple Git-128)

[PATCH V4 10/10] lan9118: switch to use qemu_receive_packet() for loopback

[Jason Wang]

From: Alexander Bulekov <alxndr@bu.edu>

This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.

This is intended to address CVE-2021-3416.

Cc: Prasad J Pandit <ppandit@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 hw/net/lan9118.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c
index abc796285a..6aff424cbe 100644
--- a/hw/net/lan9118.c
+++ b/hw/net/lan9118.c
@@ -680,7 +680,7 @@ static void do_tx_packet(lan9118_state *s)
     /* FIXME: Honor TX disable, and allow queueing of packets.  */
     if (s->phy_control & 0x4000)  {
         /* This assumes the receive routine doesn't touch the VLANClient.  */
-        lan9118_receive(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
+        qemu_receive_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
     } else {
         qemu_send_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
     }
-- 
2.24.3 (Apple Git-128)

Re: [QEMU-SECURITY] [PATCH V4 00/10] Detect reentrant RX casued by loopback

[P J P]

Hello all,

Just to note:

* Let's use <qemu-security> list to review non-public/embargoed patch(es) only.

* If patch(es) is being reviewed publicly on <qemu-devel> list,
  CC'ing <qemu-security> list does not help much.


Thank you.
---
  -P J P
http://feedmug.com

Re: [QEMU-SECURITY] [PATCH V4 00/10] Detect reentrant RX casued by loopback

[Jason Wang]

On 2021/3/5 2:39 下午, P J P wrote:
> Hello all,
>
> Just to note:
>
> * Let's use <qemu-security> list to review non-public/embargoed patch(es) only.
>
> * If patch(es) is being reviewed publicly on <qemu-devel> list,
>    CC'ing <qemu-security> list does not help much.
>
>
> Thank you.
> ---
>    -P J P
> http://feedmug.com


I see.

Thanks

Re: [PATCH V4 00/10] Detect reentrant RX casued by loopback

[Philippe Mathieu-Daudé]

On 3/5/21 7:26 AM, Jason Wang wrote:
> Hi All:
> 
> Followed by commit 22dc8663d9 ("net: forbid the reentrant RX"), we
> still need to fix the issues casued by loopback mode where the NIC
> usually it via calling nc->info->receive() directly.
> 
> The fix is to introduce new network helper and check the
> queue->delivering.
> 
> This series addresses CVE-2021-3416.
> 
> Thanks
> 
> Changes since V3:
> - clarify CVE number in the commit log
> - ident fix
> 
> Changes since V2:
> - add more fixes from Alexander
> 
> Changes since V1:
> 
> - Fix dp8393x compiling
> - Add rtl8139 fix
> - Tweak the commit log
> - Silent patchew warning
> 
> Alexander Bulekov (4):
>   rtl8139: switch to use qemu_receive_packet() for loopback
>   pcnet: switch to use qemu_receive_packet() for loopback
>   cadence_gem: switch to use qemu_receive_packet() for loopback
>   lan9118: switch to use qemu_receive_packet() for loopback
> 
> Jason Wang (6):
>   net: introduce qemu_receive_packet()
>   e1000: switch to use qemu_receive_packet() for loopback
>   dp8393x: switch to use qemu_receive_packet() for loopback packet
>   msf2-mac: switch to use qemu_receive_packet() for loopback
>   sungem: switch to use qemu_receive_packet() for loopback
>   tx_pkt: switch to use qemu_receive_packet_iov() for loopback
> 
>  hw/net/cadence_gem.c |  4 ++--
>  hw/net/dp8393x.c     |  2 +-
>  hw/net/e1000.c       |  2 +-
>  hw/net/lan9118.c     |  2 +-
>  hw/net/msf2-emac.c   |  2 +-
>  hw/net/net_tx_pkt.c  |  2 +-
>  hw/net/pcnet.c       |  2 +-
>  hw/net/rtl8139.c     |  2 +-
>  hw/net/sungem.c      |  2 +-
>  include/net/net.h    |  5 +++++
>  include/net/queue.h  |  8 ++++++++
>  net/net.c            | 38 +++++++++++++++++++++++++++++++-------
>  net/queue.c          | 22 ++++++++++++++++++++++
>  13 files changed, 76 insertions(+), 17 deletions(-)
> 

LGTM, maybe worth adding the "Cc: qemu-stable@nongnu.org" tag
when applying.

Re: [PATCH V4 00/10] Detect reentrant RX casued by loopback

[Jason Wang]

On 2021/3/5 5:38 下午, Philippe Mathieu-Daudé wrote:
> On 3/5/21 7:26 AM, Jason Wang wrote:
>> Hi All:
>>
>> Followed by commit 22dc8663d9 ("net: forbid the reentrant RX"), we
>> still need to fix the issues casued by loopback mode where the NIC
>> usually it via calling nc->info->receive() directly.
>>
>> The fix is to introduce new network helper and check the
>> queue->delivering.
>>
>> This series addresses CVE-2021-3416.
>>
>> Thanks
>>
>> Changes since V3:
>> - clarify CVE number in the commit log
>> - ident fix
>>
>> Changes since V2:
>> - add more fixes from Alexander
>>
>> Changes since V1:
>>
>> - Fix dp8393x compiling
>> - Add rtl8139 fix
>> - Tweak the commit log
>> - Silent patchew warning
>>
>> Alexander Bulekov (4):
>>    rtl8139: switch to use qemu_receive_packet() for loopback
>>    pcnet: switch to use qemu_receive_packet() for loopback
>>    cadence_gem: switch to use qemu_receive_packet() for loopback
>>    lan9118: switch to use qemu_receive_packet() for loopback
>>
>> Jason Wang (6):
>>    net: introduce qemu_receive_packet()
>>    e1000: switch to use qemu_receive_packet() for loopback
>>    dp8393x: switch to use qemu_receive_packet() for loopback packet
>>    msf2-mac: switch to use qemu_receive_packet() for loopback
>>    sungem: switch to use qemu_receive_packet() for loopback
>>    tx_pkt: switch to use qemu_receive_packet_iov() for loopback
>>
>>   hw/net/cadence_gem.c |  4 ++--
>>   hw/net/dp8393x.c     |  2 +-
>>   hw/net/e1000.c       |  2 +-
>>   hw/net/lan9118.c     |  2 +-
>>   hw/net/msf2-emac.c   |  2 +-
>>   hw/net/net_tx_pkt.c  |  2 +-
>>   hw/net/pcnet.c       |  2 +-
>>   hw/net/rtl8139.c     |  2 +-
>>   hw/net/sungem.c      |  2 +-
>>   include/net/net.h    |  5 +++++
>>   include/net/queue.h  |  8 ++++++++
>>   net/net.c            | 38 +++++++++++++++++++++++++++++++-------
>>   net/queue.c          | 22 ++++++++++++++++++++++
>>   13 files changed, 76 insertions(+), 17 deletions(-)
>>
> LGTM, maybe worth adding the "Cc: qemu-stable@nongnu.org" tag
> when applying.


Yes, will do.

Thanks


>

Re: [PATCH V4 00/10] Detect reentrant RX casued by loopback

[Jason Wang]

On 2021/3/5 2:26 下午, Jason Wang wrote:
> Hi All:
>
> Followed by commit 22dc8663d9 ("net: forbid the reentrant RX"), we
> still need to fix the issues casued by loopback mode where the NIC
> usually it via calling nc->info->receive() directly.
>
> The fix is to introduce new network helper and check the
> queue->delivering.
>
> This series addresses CVE-2021-3416.
>
> Thanks


So, I've queued this series with stable cced.

Thanks


>
> Changes since V3:
> - clarify CVE number in the commit log
> - ident fix
>
> Changes since V2:
> - add more fixes from Alexander
>
> Changes since V1:
>
> - Fix dp8393x compiling
> - Add rtl8139 fix
> - Tweak the commit log
> - Silent patchew warning
>
> Alexander Bulekov (4):
>    rtl8139: switch to use qemu_receive_packet() for loopback
>    pcnet: switch to use qemu_receive_packet() for loopback
>    cadence_gem: switch to use qemu_receive_packet() for loopback
>    lan9118: switch to use qemu_receive_packet() for loopback
>
> Jason Wang (6):
>    net: introduce qemu_receive_packet()
>    e1000: switch to use qemu_receive_packet() for loopback
>    dp8393x: switch to use qemu_receive_packet() for loopback packet
>    msf2-mac: switch to use qemu_receive_packet() for loopback
>    sungem: switch to use qemu_receive_packet() for loopback
>    tx_pkt: switch to use qemu_receive_packet_iov() for loopback
>
>   hw/net/cadence_gem.c |  4 ++--
>   hw/net/dp8393x.c     |  2 +-
>   hw/net/e1000.c       |  2 +-
>   hw/net/lan9118.c     |  2 +-
>   hw/net/msf2-emac.c   |  2 +-
>   hw/net/net_tx_pkt.c  |  2 +-
>   hw/net/pcnet.c       |  2 +-
>   hw/net/rtl8139.c     |  2 +-
>   hw/net/sungem.c      |  2 +-
>   include/net/net.h    |  5 +++++
>   include/net/queue.h  |  8 ++++++++
>   net/net.c            | 38 +++++++++++++++++++++++++++++++-------
>   net/queue.c          | 22 ++++++++++++++++++++++
>   13 files changed, 76 insertions(+), 17 deletions(-)
>