qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
* [PULL 0/2] Net patches
@ 2021-11-05  4:17 Jason Wang
  2021-11-05  4:17 ` [PULL 1/2] e1000: fix tx re-entrancy problem Jason Wang
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Jason Wang @ 2021-11-05  4:17 UTC (permalink / raw)
  To: peter.maydell; +Cc: Jason Wang, qemu-devel

The following changes since commit 18e356a53a2926a15343b914db64324d63748f25:

  Merge remote-tracking branch 'remotes/stsquad/tags/pull-for-6.2-041121-2' into staging (2021-11-04 08:33:46 -0400)

are available in the git repository at:

  https://github.com/jasowang/qemu.git tags/net-pull-request

for you to fetch changes up to 3fd641ac5ec713e67129c1a57e8b6281182bd843:

  Fix virtio-net-pci* "vectors" compat (2021-11-05 11:32:00 +0800)

----------------------------------------------------------------

----------------------------------------------------------------
Eduardo Habkost (1):
      Fix virtio-net-pci* "vectors" compat

Jon Maloy (1):
      e1000: fix tx re-entrancy problem

 hw/core/machine.c | 2 +-
 hw/net/e1000.c    | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)




^ permalink raw reply	[flat|nested] 4+ messages in thread
* [PULL 1/2] e1000: fix tx re-entrancy problem
  2021-11-05  4:17 [PULL 0/2] Net patches Jason Wang
@ 2021-11-05  4:17 ` Jason Wang
  2021-11-05  4:17 ` [PULL 2/2] Fix virtio-net-pci* "vectors" compat Jason Wang
  2021-11-05 15:41 ` [PULL 0/2] Net patches Richard Henderson
  2 siblings, 0 replies; 4+ messages in thread
From: Jason Wang @ 2021-11-05  4:17 UTC (permalink / raw)
  To: peter.maydell; +Cc: Jon Maloy, Jason Wang, qemu-devel

From: Jon Maloy <jmaloy@redhat.com>

The fact that the MMIO handler is not re-entrant causes an infinite
loop under certain conditions:

Guest write to TDT ->  Loopback -> RX (DMA to TDT) -> TX

We now eliminate the effect of this problem locally in e1000, by adding
a boolean in struct E1000State indicating when the TX side is busy. This
will cause any entering new call to return early instead of interfering
with the ongoing work, and eliminates any risk of looping.

This is intended to address CVE-2021-20257.

Signed-off-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 hw/net/e1000.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/hw/net/e1000.c b/hw/net/e1000.c
index a30546c..f5bc812 100644
--- a/hw/net/e1000.c
+++ b/hw/net/e1000.c
@@ -107,6 +107,7 @@ struct E1000State_st {
         e1000x_txd_props props;
         e1000x_txd_props tso_props;
         uint16_t tso_frames;
+        bool busy;
     } tx;
 
     struct {
@@ -763,6 +764,11 @@ start_xmit(E1000State *s)
         return;
     }
 
+    if (s->tx.busy) {
+        return;
+    }
+    s->tx.busy = true;
+
     while (s->mac_reg[TDH] != s->mac_reg[TDT]) {
         base = tx_desc_base(s) +
                sizeof(struct e1000_tx_desc) * s->mac_reg[TDH];
@@ -789,6 +795,7 @@ start_xmit(E1000State *s)
             break;
         }
     }
+    s->tx.busy = false;
     set_ics(s, 0, cause);
 }
 
-- 
2.7.4



^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PULL 2/2] Fix virtio-net-pci* "vectors" compat
  2021-11-05  4:17 [PULL 0/2] Net patches Jason Wang
  2021-11-05  4:17 ` [PULL 1/2] e1000: fix tx re-entrancy problem Jason Wang
@ 2021-11-05  4:17 ` Jason Wang
  2021-11-05 15:41 ` [PULL 0/2] Net patches Richard Henderson
  2 siblings, 0 replies; 4+ messages in thread
From: Jason Wang @ 2021-11-05  4:17 UTC (permalink / raw)
  To: peter.maydell
  Cc: Jason Wang, Cornelia Huck, Jean-Louis Dupond, qemu-devel,
	Eduardo Habkost

From: Eduardo Habkost <ehabkost@redhat.com>

hw_compat_5_2 has an issue: it affects only "virtio-net-pci"
but not "virtio-net-pci-transitional" and
"virtio-net-pci-non-transitional".  The solution is to use the
"virtio-net-pci-base" type in compat_props.

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1999141

Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Jean-Louis Dupond <jean-louis@dupond.be>
Acked-by: Jason Wang <jasowang@redhat.com>
Acked-by: Jean-Louis Dupond <jean-louis@dupond.be>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 hw/core/machine.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/core/machine.c b/hw/core/machine.c
index 948b3d9..26ec54e 100644
--- a/hw/core/machine.c
+++ b/hw/core/machine.c
@@ -56,7 +56,7 @@ GlobalProperty hw_compat_5_2[] = {
     { "ICH9-LPC", "smm-compat", "on"},
     { "PIIX4_PM", "smm-compat", "on"},
     { "virtio-blk-device", "report-discard-granularity", "off" },
-    { "virtio-net-pci", "vectors", "3"},
+    { "virtio-net-pci-base", "vectors", "3"},
 };
 const size_t hw_compat_5_2_len = G_N_ELEMENTS(hw_compat_5_2);
 
-- 
2.7.4



^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PULL 0/2] Net patches
  2021-11-05  4:17 [PULL 0/2] Net patches Jason Wang
  2021-11-05  4:17 ` [PULL 1/2] e1000: fix tx re-entrancy problem Jason Wang
  2021-11-05  4:17 ` [PULL 2/2] Fix virtio-net-pci* "vectors" compat Jason Wang
@ 2021-11-05 15:41 ` Richard Henderson
  2 siblings, 0 replies; 4+ messages in thread
From: Richard Henderson @ 2021-11-05 15:41 UTC (permalink / raw)
  To: Jason Wang, peter.maydell; +Cc: qemu-devel

On 11/5/21 12:17 AM, Jason Wang wrote:
> The following changes since commit 18e356a53a2926a15343b914db64324d63748f25:
> 
>    Merge remote-tracking branch 'remotes/stsquad/tags/pull-for-6.2-041121-2' into staging (2021-11-04 08:33:46 -0400)
> 
> are available in the git repository at:
> 
>    https://github.com/jasowang/qemu.git tags/net-pull-request
> 
> for you to fetch changes up to 3fd641ac5ec713e67129c1a57e8b6281182bd843:
> 
>    Fix virtio-net-pci* "vectors" compat (2021-11-05 11:32:00 +0800)
> 
> ----------------------------------------------------------------
> 
> ----------------------------------------------------------------
> Eduardo Habkost (1):
>        Fix virtio-net-pci* "vectors" compat
> 
> Jon Maloy (1):
>        e1000: fix tx re-entrancy problem
> 
>   hw/core/machine.c | 2 +-
>   hw/net/e1000.c    | 7 +++++++
>   2 files changed, 8 insertions(+), 1 deletion(-)

Applied, thanks.

r~


^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-11-05 15:44 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-05  4:17 [PULL 0/2] Net patches Jason Wang
2021-11-05  4:17 ` [PULL 1/2] e1000: fix tx re-entrancy problem Jason Wang
2021-11-05  4:17 ` [PULL 2/2] Fix virtio-net-pci* "vectors" compat Jason Wang
2021-11-05 15:41 ` [PULL 0/2] Net patches Richard Henderson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).