From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:45154)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <dmitry@daynix.com>) id 1a8208-00038j-Ho
	for qemu-devel@nongnu.org; Sun, 13 Dec 2015 03:27:29 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <dmitry@daynix.com>) id 1a8203-0004ZA-Iz
	for qemu-devel@nongnu.org; Sun, 13 Dec 2015 03:27:28 -0500
Received: from mail-wm0-x22b.google.com ([2a00:1450:400c:c09::22b]:34869)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <dmitry@daynix.com>) id 1a8203-0004Z0-Ch
	for qemu-devel@nongnu.org; Sun, 13 Dec 2015 03:27:23 -0500
Received: by mail-wm0-x22b.google.com with SMTP id p66so7163889wmp.0
	for <qemu-devel@nongnu.org>; Sun, 13 Dec 2015 00:27:23 -0800 (PST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\))
From: Dmitry Fleytman <dmitry@daynix.com>
In-Reply-To: <alpine.LFD.2.20.1512111512110.13222@wniryva>
Date: Sun, 13 Dec 2015 10:27:20 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <B70517D2-5032-4E08-AC11-7E0E63C165E8@daynix.com>
References: <alpine.LFD.2.20.1512021731340.15831@wniryva>
	<66A887B2-7CFF-45F9-AD7F-1381F8B1F318@daynix.com>
	<566105A2.6040508@redhat.com>
	<alpine.LFD.2.20.1512081526300.26684@wniryva>
	<alpine.LFD.2.20.1512091713000.22387@wniryva>
	<566A930C.7030901@redhat.com>
	<alpine.LFD.2.20.1512111512110.13222@wniryva>
Subject: Re: [Qemu-devel] net: vmxnet3: memory leakage issue
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: P J P <ppandit@redhat.com>
Cc: Qinghao Tang <luodalongde@gmail.com>, Jason Wang <jasowang@redhat.com>, qemu-devel@nongnu.org


> On 11 Dec 2015, at 12:04 PM, P J P <ppandit@redhat.com> wrote:
>=20
>  Hello Jason,
>=20
> +-- On Fri, 11 Dec 2015, Jason Wang wrote --+
> | I think it's possible for attacker. Better wait for Dmitry's answer =
for
> | this.
>=20
>  Okay.
>=20
> | > +    /* Verify if device is active */
> | > +    if (s->device_active) {
> | > +        VMW_CFPRN("Vmxnet3 device is active");
> | > +        return;
> | > +    }
> |=20
> | What if guest want to activate a paused device?
>=20
>  There is a 'resume' operation defined below.
>=20
> | >      case VMXNET3_CMD_QUIESCE_DEV:
> | > -        VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - pause the =
device");
> | > -        vmxnet3_deactivate_device(s);
> | > +        if (s->device_active & VMXNET3_DEV_ACTIVE) {
> | > +            VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - pause the =
device");
> | > +            vmxnet3_pause_device(s);
> | > +        } else if (s->device_active & VMXNET3_DEV_PAUSE) {
> | > +            VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - resume the =
device");
> | > +            vmxnet3_resume_device(s);
> | > +        }
> |=20
> | Not sure this is the correct behavior. Is there a link to the spec?
>=20
>  I couldn't find a spec for vmxnet3; I referred the vmxnet3 kernel =
driver,=20
> which seems to implement suspend & resume functions.

Unfortunately the spec is not available.
The device was implemented using Linux/Windows drivers as references.

>=20
>  -> =
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/drive=
rs/net/vmxnet3/vmxnet3_drv.c
>=20
> In general, Ethernet documents talk about 'pause' frame mechanism to =
stop NIC=20
> from buffering more data, till it has space available to process more, =
when it=20
> resumes its operation.
>=20
> Thank you.
> --
> Prasad J Pandit / Red Hat Product Security Team
> 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F