[Qemu-devel] [PATCH v3] net: imx: limit buffer descriptor count

P J P posted 1 patch 7 years, 1 month ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20170202104624.13948-1-ppandit@redhat.com
Test checkpatch passed
Test docker passed
Test s390x passed
hw/net/imx_fec.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
[Qemu-devel] [PATCH v3] net: imx: limit buffer descriptor count
Posted by P J P 7 years, 1 month ago
From: Prasad J Pandit <pjp@fedoraproject.org>

i.MX Fast Ethernet Controller uses buffer descriptors to manage
data flow to/fro receive & transmit queues. While transmitting
packets, it could continue to read buffer descriptors if a buffer
descriptor has length of zero and has crafted values in bd.flags.
Set an upper limit to number of buffer descriptors.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 hw/net/imx_fec.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

Patch v2
  -> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg05554.html
  - Restrict loop in 'imx_enet_do_tx' to IMX_MAX_DESC descriptors.

diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
index 50c7564..90e6ee3 100644
--- a/hw/net/imx_fec.c
+++ b/hw/net/imx_fec.c
@@ -55,6 +55,8 @@
         } \
     } while (0)
 
+#define IMX_MAX_DESC    1024
+
 static const char *imx_default_reg_name(IMXFECState *s, uint32_t index)
 {
     static char tmp[20];
@@ -402,12 +404,12 @@ static void imx_eth_update(IMXFECState *s)
 
 static void imx_fec_do_tx(IMXFECState *s)
 {
-    int frame_size = 0;
+    int frame_size = 0, descnt = 0;
     uint8_t frame[ENET_MAX_FRAME_SIZE];
     uint8_t *ptr = frame;
     uint32_t addr = s->tx_descriptor;
 
-    while (1) {
+    while (descnt++ < IMX_MAX_DESC) {
         IMXFECBufDesc bd;
         int len;
 
@@ -453,12 +455,12 @@ static void imx_fec_do_tx(IMXFECState *s)
 
 static void imx_enet_do_tx(IMXFECState *s)
 {
-    int frame_size = 0;
+    int frame_size = 0, descnt = 0;
     uint8_t frame[ENET_MAX_FRAME_SIZE];
     uint8_t *ptr = frame;
     uint32_t addr = s->tx_descriptor;
 
-    while (1) {
+    while (descnt++ < IMX_MAX_DESC) {
         IMXENETBufDesc bd;
         int len;
 
-- 
2.9.3


Re: [Qemu-devel] [PATCH v3] net: imx: limit buffer descriptor count
Posted by Jason Wang 7 years, 1 month ago

On 2017年02月02日 18:46, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> i.MX Fast Ethernet Controller uses buffer descriptors to manage
> data flow to/fro receive & transmit queues. While transmitting
> packets, it could continue to read buffer descriptors if a buffer
> descriptor has length of zero and has crafted values in bd.flags.
> Set an upper limit to number of buffer descriptors.
>
> Reported-by: Li Qiang <liqiang6-s@360.cn>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
>   hw/net/imx_fec.c | 10 ++++++----
>   1 file changed, 6 insertions(+), 4 deletions(-)
>
> Patch v2
>    -> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg05554.html
>    - Restrict loop in 'imx_enet_do_tx' to IMX_MAX_DESC descriptors.

Applied, thanks.

>
> diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
> index 50c7564..90e6ee3 100644
> --- a/hw/net/imx_fec.c
> +++ b/hw/net/imx_fec.c
> @@ -55,6 +55,8 @@
>           } \
>       } while (0)
>   
> +#define IMX_MAX_DESC    1024
> +
>   static const char *imx_default_reg_name(IMXFECState *s, uint32_t index)
>   {
>       static char tmp[20];
> @@ -402,12 +404,12 @@ static void imx_eth_update(IMXFECState *s)
>   
>   static void imx_fec_do_tx(IMXFECState *s)
>   {
> -    int frame_size = 0;
> +    int frame_size = 0, descnt = 0;
>       uint8_t frame[ENET_MAX_FRAME_SIZE];
>       uint8_t *ptr = frame;
>       uint32_t addr = s->tx_descriptor;
>   
> -    while (1) {
> +    while (descnt++ < IMX_MAX_DESC) {
>           IMXFECBufDesc bd;
>           int len;
>   
> @@ -453,12 +455,12 @@ static void imx_fec_do_tx(IMXFECState *s)
>   
>   static void imx_enet_do_tx(IMXFECState *s)
>   {
> -    int frame_size = 0;
> +    int frame_size = 0, descnt = 0;
>       uint8_t frame[ENET_MAX_FRAME_SIZE];
>       uint8_t *ptr = frame;
>       uint32_t addr = s->tx_descriptor;
>   
> -    while (1) {
> +    while (descnt++ < IMX_MAX_DESC) {
>           IMXENETBufDesc bd;
>           int len;
>