53b56ca781
Changes to other patches are all just metadata/context changes except
for pvebackup_co_prepare() needing to call bdrv_co_unref() rather than
bdrv_unref(), because it is a coroutine itself. This is documented in
d6ee2e324e ("block-coroutine-wrapper: Introduce no_co_wrapper"). The
change is necessary, because one of the stable fixes converts
bdrv_unref and blk_unref into no_co_wrappers (in preparation for a
second patch to fix a hang with the block resize QMP command).
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
73 lines
2.7 KiB
Diff
73 lines
2.7 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Stefan Hajnoczi <stefanha@redhat.com>
|
|
Date: Thu, 13 Apr 2023 13:19:46 -0400
|
|
Subject: [PATCH] rtl8139: fix large_send_mss divide-by-zero
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
If the driver sets large_send_mss to 0 then a divide-by-zero occurs.
|
|
Even if the division wasn't a problem, the for loop that emits MSS-sized
|
|
packets would never terminate.
|
|
|
|
Solve these issues by skipping offloading when large_send_mss=0.
|
|
|
|
This issue was found by OSS-Fuzz as part of Alexander Bulekov's device
|
|
fuzzing work. The reproducer is:
|
|
|
|
$ cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
|
|
512M,slots=1,maxmem=0xffff000000000000 -machine q35 -nodefaults -device \
|
|
rtl8139,netdev=net0 -netdev user,id=net0 -device \
|
|
pc-dimm,id=nv1,memdev=mem1,addr=0xb800a64602800000 -object \
|
|
memory-backend-ram,id=mem1,size=2M -qtest stdio
|
|
outl 0xcf8 0x80000814
|
|
outl 0xcfc 0xe0000000
|
|
outl 0xcf8 0x80000804
|
|
outw 0xcfc 0x06
|
|
write 0xe0000037 0x1 0x04
|
|
write 0xe00000e0 0x2 0x01
|
|
write 0x1 0x1 0x04
|
|
write 0x3 0x1 0x98
|
|
write 0xa 0x1 0x8c
|
|
write 0xb 0x1 0x02
|
|
write 0xc 0x1 0x46
|
|
write 0xd 0x1 0xa6
|
|
write 0xf 0x1 0xb8
|
|
write 0xb800a646028c000c 0x1 0x08
|
|
write 0xb800a646028c000e 0x1 0x47
|
|
write 0xb800a646028c0010 0x1 0x02
|
|
write 0xb800a646028c0017 0x1 0x06
|
|
write 0xb800a646028c0036 0x1 0x80
|
|
write 0xe00000d9 0x1 0x40
|
|
EOF
|
|
|
|
Buglink: https://gitlab.com/qemu-project/qemu/-/issues/1582
|
|
Fixes: 6d71357a3b65 ("rtl8139: honor large send MSS value")
|
|
Reported-by: Alexander Bulekov <alxndr@bu.edu>
|
|
Cc: Peter Maydell <peter.maydell@linaro.org>
|
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
|
|
Tested-by: Alexander Bulekov <alxndr@bu.edu>
|
|
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
|
|
Acked-by: Jason Wang <jasowang@redhat.com>
|
|
(picked up from https://patchew.org/QEMU/20230413171946.2865726-1-stefanha@redhat.com/)
|
|
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
|
|
---
|
|
hw/net/rtl8139.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
|
|
index 5a5aaf868d..5f1a4d359b 100644
|
|
--- a/hw/net/rtl8139.c
|
|
+++ b/hw/net/rtl8139.c
|
|
@@ -2154,6 +2154,9 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
|
|
|
|
int large_send_mss = (txdw0 >> CP_TC_LGSEN_MSS_SHIFT) &
|
|
CP_TC_LGSEN_MSS_MASK;
|
|
+ if (large_send_mss == 0) {
|
|
+ goto skip_offload;
|
|
+ }
|
|
|
|
DPRINTF("+++ C+ mode offloaded task TSO IP data %d "
|
|
"frame data %d specified MSS=%d\n",
|