pve-qemu-qoup/debian/patches/extra/0007-rtl8139-fix-large_send_mss-divide-by-zero.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Thu, 13 Apr 2023 13:19:46 -0400
Subject: [PATCH] rtl8139: fix large_send_mss divide-by-zero
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If the driver sets large_send_mss to 0 then a divide-by-zero occurs.
Even if the division wasn't a problem, the for loop that emits MSS-sized
packets would never terminate.

Solve these issues by skipping offloading when large_send_mss=0.

This issue was found by OSS-Fuzz as part of Alexander Bulekov's device
fuzzing work. The reproducer is:

  $ cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
  512M,slots=1,maxmem=0xffff000000000000 -machine q35 -nodefaults -device \
  rtl8139,netdev=net0 -netdev user,id=net0 -device \
  pc-dimm,id=nv1,memdev=mem1,addr=0xb800a64602800000 -object \
  memory-backend-ram,id=mem1,size=2M  -qtest stdio
  outl 0xcf8 0x80000814
  outl 0xcfc 0xe0000000
  outl 0xcf8 0x80000804
  outw 0xcfc 0x06
  write 0xe0000037 0x1 0x04
  write 0xe00000e0 0x2 0x01
  write 0x1 0x1 0x04
  write 0x3 0x1 0x98
  write 0xa 0x1 0x8c
  write 0xb 0x1 0x02
  write 0xc 0x1 0x46
  write 0xd 0x1 0xa6
  write 0xf 0x1 0xb8
  write 0xb800a646028c000c 0x1 0x08
  write 0xb800a646028c000e 0x1 0x47
  write 0xb800a646028c0010 0x1 0x02
  write 0xb800a646028c0017 0x1 0x06
  write 0xb800a646028c0036 0x1 0x80
  write 0xe00000d9 0x1 0x40
  EOF

Buglink: https://gitlab.com/qemu-project/qemu/-/issues/1582
Fixes: 6d71357a3b65 ("rtl8139: honor large send MSS value")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Cc: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Acked-by: Jason Wang <jasowang@redhat.com>
(picked up from https://patchew.org/QEMU/20230413171946.2865726-1-stefanha@redhat.com/)
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 hw/net/rtl8139.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
index 5a5aaf868d..5f1a4d359b 100644
--- a/hw/net/rtl8139.c
+++ b/hw/net/rtl8139.c
@@ -2154,6 +2154,9 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
 
                 int large_send_mss = (txdw0 >> CP_TC_LGSEN_MSS_SHIFT) &
                                      CP_TC_LGSEN_MSS_MASK;
+                if (large_send_mss == 0) {
+                    goto skip_offload;
+                }
 
                 DPRINTF("+++ C+ mode offloaded task TSO IP data %d "
                     "frame data %d specified MSS=%d\n",
add stable patches for 8.0.0 Changes to other patches are all just metadata/context changes except for pvebackup_co_prepare() needing to call bdrv_co_unref() rather than bdrv_unref(), because it is a coroutine itself. This is documented in d6ee2e324e ("block-coroutine-wrapper: Introduce no_co_wrapper"). The change is necessary, because one of the stable fixes converts bdrv_unref and blk_unref into no_co_wrappers (in preparation for a second patch to fix a hang with the block resize QMP command). Signed-off-by: Fiona Ebner <f.ebner@proxmox.com> 2023-05-15 16:39:54 +03:00			`From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001`
			`From: Stefan Hajnoczi <stefanha@redhat.com>`
			`Date: Thu, 13 Apr 2023 13:19:46 -0400`
			`Subject: [PATCH] rtl8139: fix large_send_mss divide-by-zero`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`If the driver sets large_send_mss to 0 then a divide-by-zero occurs.`
			`Even if the division wasn't a problem, the for loop that emits MSS-sized`
			`packets would never terminate.`

			`Solve these issues by skipping offloading when large_send_mss=0.`

			`This issue was found by OSS-Fuzz as part of Alexander Bulekov's device`
			`fuzzing work. The reproducer is:`

			`$ cat << EOF \| ./qemu-system-i386 -display none -machine accel=qtest, -m \`
			`512M,slots=1,maxmem=0xffff000000000000 -machine q35 -nodefaults -device \`
			`rtl8139,netdev=net0 -netdev user,id=net0 -device \`
			`pc-dimm,id=nv1,memdev=mem1,addr=0xb800a64602800000 -object \`
			`memory-backend-ram,id=mem1,size=2M -qtest stdio`
			`outl 0xcf8 0x80000814`
			`outl 0xcfc 0xe0000000`
			`outl 0xcf8 0x80000804`
			`outw 0xcfc 0x06`
			`write 0xe0000037 0x1 0x04`
			`write 0xe00000e0 0x2 0x01`
			`write 0x1 0x1 0x04`
			`write 0x3 0x1 0x98`
			`write 0xa 0x1 0x8c`
			`write 0xb 0x1 0x02`
			`write 0xc 0x1 0x46`
			`write 0xd 0x1 0xa6`
			`write 0xf 0x1 0xb8`
			`write 0xb800a646028c000c 0x1 0x08`
			`write 0xb800a646028c000e 0x1 0x47`
			`write 0xb800a646028c0010 0x1 0x02`
			`write 0xb800a646028c0017 0x1 0x06`
			`write 0xb800a646028c0036 0x1 0x80`
			`write 0xe00000d9 0x1 0x40`
			`EOF`

			`Buglink: https://gitlab.com/qemu-project/qemu/-/issues/1582`
			`Fixes: 6d71357a3b65 ("rtl8139: honor large send MSS value")`
			`Reported-by: Alexander Bulekov <alxndr@bu.edu>`
			`Cc: Peter Maydell <peter.maydell@linaro.org>`
			`Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>`
			`Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>`
			`Tested-by: Alexander Bulekov <alxndr@bu.edu>`
			`Reviewed-by: Peter Maydell <peter.maydell@linaro.org>`
			`Acked-by: Jason Wang <jasowang@redhat.com>`
			`(picked up from https://patchew.org/QEMU/20230413171946.2865726-1-stefanha@redhat.com/)`
			`Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>`
			`---`
			`hw/net/rtl8139.c \| 3 +++`
			`1 file changed, 3 insertions(+)`

			`diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c`
			`index 5a5aaf868d..5f1a4d359b 100644`
			`--- a/hw/net/rtl8139.c`
			`+++ b/hw/net/rtl8139.c`
			`@@ -2154,6 +2154,9 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)`

			`int large_send_mss = (txdw0 >> CP_TC_LGSEN_MSS_SHIFT) &`
			`CP_TC_LGSEN_MSS_MASK;`
			`+ if (large_send_mss == 0) {`
			`+ goto skip_offload;`
			`+ }`

			`DPRINTF("+++ C+ mode offloaded task TSO IP data %d "`
			`"frame data %d specified MSS=%d\n",`