diff mbox

[v2] net: imx: limit buffer descriptor count

Message ID 1474540298-4152-1-git-send-email-ppandit@redhat.com (mailing list archive)
State New, archived
Headers show

Commit Message

Prasad Pandit Sept. 22, 2016, 10:31 a.m. UTC 
From: Prasad J Pandit <pjp@fedoraproject.org>

i.MX Fast Ethernet Controller uses buffer descriptors to manage
data flow to/fro receive & transmit queues. While transmitting
packets, it could continue to read buffer descriptors if a buffer
descriptor has length of zero and has crafted values in bd.flags.
Set an upper limit to number of buffer descriptors.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 hw/net/imx_fec.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

Update per
  -> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg05284.html

Comments

Paolo Bonzini Sept. 22, 2016, 10:32 a.m. UTC | #1 
On 22/09/2016 12:31, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
> 
> i.MX Fast Ethernet Controller uses buffer descriptors to manage
> data flow to/fro receive & transmit queues. While transmitting
> packets, it could continue to read buffer descriptors if a buffer
> descriptor has length of zero and has crafted values in bd.flags.
> Set an upper limit to number of buffer descriptors.
> 
> Reported-by: Li Qiang <liqiang6-s@360.cn>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
>  hw/net/imx_fec.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> Update per
>   -> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg05284.html
> 
> diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
> index e60e338..547fa99 100644
> --- a/hw/net/imx_fec.c
> +++ b/hw/net/imx_fec.c
> @@ -94,6 +94,8 @@ static const VMStateDescription vmstate_imx_fec = {
>  #define PHY_INT_PARFAULT            (1 << 2)
>  #define PHY_INT_AUTONEG_PAGE        (1 << 1)
>  
> +#define IMX_MAX_DESC                1024
> +
>  static void imx_fec_update(IMXFECState *s);
>  
>  /*
> @@ -264,12 +266,12 @@ static void imx_fec_update(IMXFECState *s)
>  
>  static void imx_fec_do_tx(IMXFECState *s)
>  {
> -    int frame_size = 0;
> +    int frame_size = 0, descnt = 0;
>      uint8_t frame[FEC_MAX_FRAME_SIZE];
>      uint8_t *ptr = frame;
>      uint32_t addr = s->tx_descriptor;
>  
> -    while (1) {
> +    while (descnt++ < IMX_MAX_DESC) {
>          IMXFECBufDesc bd;
>          int len;
>  
> 

Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Jason Wang Sept. 23, 2016, 5:17 a.m. UTC | #2 
On 2016年09月22日 18:32, Paolo Bonzini wrote:
>
> On 22/09/2016 12:31, P J P wrote:
>> From: Prasad J Pandit <pjp@fedoraproject.org>
>>
>> i.MX Fast Ethernet Controller uses buffer descriptors to manage
>> data flow to/fro receive & transmit queues. While transmitting
>> packets, it could continue to read buffer descriptors if a buffer
>> descriptor has length of zero and has crafted values in bd.flags.
>> Set an upper limit to number of buffer descriptors.
>>
>> Reported-by: Li Qiang <liqiang6-s@360.cn>
>> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
>> ---
>>   hw/net/imx_fec.c | 6 ++++--
>>   1 file changed, 4 insertions(+), 2 deletions(-)
>>
>> Update per
>>    -> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg05284.html
>>
>> diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
>> index e60e338..547fa99 100644
>> --- a/hw/net/imx_fec.c
>> +++ b/hw/net/imx_fec.c
>> @@ -94,6 +94,8 @@ static const VMStateDescription vmstate_imx_fec = {
>>   #define PHY_INT_PARFAULT            (1 << 2)
>>   #define PHY_INT_AUTONEG_PAGE        (1 << 1)
>>   
>> +#define IMX_MAX_DESC                1024
>> +
>>   static void imx_fec_update(IMXFECState *s);
>>   
>>   /*
>> @@ -264,12 +266,12 @@ static void imx_fec_update(IMXFECState *s)
>>   
>>   static void imx_fec_do_tx(IMXFECState *s)
>>   {
>> -    int frame_size = 0;
>> +    int frame_size = 0, descnt = 0;
>>       uint8_t frame[FEC_MAX_FRAME_SIZE];
>>       uint8_t *ptr = frame;
>>       uint32_t addr = s->tx_descriptor;
>>   
>> -    while (1) {
>> +    while (descnt++ < IMX_MAX_DESC) {
>>           IMXFECBufDesc bd;
>>           int len;
>>   
>>
> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>

Applied, thanks.
Jason Wang Sept. 23, 2016, 6:08 a.m. UTC | #3 
On 2016年09月23日 13:17, Jason Wang wrote:
>
>
> On 2016年09月22日 18:32, Paolo Bonzini wrote:
>>
>> On 22/09/2016 12:31, P J P wrote:
>>> From: Prasad J Pandit <pjp@fedoraproject.org>
>>>
>>> i.MX Fast Ethernet Controller uses buffer descriptors to manage
>>> data flow to/fro receive & transmit queues. While transmitting
>>> packets, it could continue to read buffer descriptors if a buffer
>>> descriptor has length of zero and has crafted values in bd.flags.
>>> Set an upper limit to number of buffer descriptors.
>>>
>>> Reported-by: Li Qiang <liqiang6-s@360.cn>
>>> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
>>> ---
>>>   hw/net/imx_fec.c | 6 ++++--
>>>   1 file changed, 4 insertions(+), 2 deletions(-)
>>>
>>> Update per
>>>    -> 
>>> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg05284.html
>>>
>>> diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
>>> index e60e338..547fa99 100644
>>> --- a/hw/net/imx_fec.c
>>> +++ b/hw/net/imx_fec.c
>>> @@ -94,6 +94,8 @@ static const VMStateDescription vmstate_imx_fec = {
>>>   #define PHY_INT_PARFAULT            (1 << 2)
>>>   #define PHY_INT_AUTONEG_PAGE        (1 << 1)
>>>   +#define IMX_MAX_DESC                1024
>>> +
>>>   static void imx_fec_update(IMXFECState *s);
>>>     /*
>>> @@ -264,12 +266,12 @@ static void imx_fec_update(IMXFECState *s)
>>>     static void imx_fec_do_tx(IMXFECState *s)
>>>   {
>>> -    int frame_size = 0;
>>> +    int frame_size = 0, descnt = 0;
>>>       uint8_t frame[FEC_MAX_FRAME_SIZE];
>>>       uint8_t *ptr = frame;
>>>       uint32_t addr = s->tx_descriptor;
>>>   -    while (1) {
>>> +    while (descnt++ < IMX_MAX_DESC) {
>>>           IMXFECBufDesc bd;
>>>           int len;
>>>
>> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
>
> Applied, thanks.
>

Actually the patch does not apply cleanly. Please fix and repost.

Thanks
Prasad Pandit Sept. 26, 2016, 10:51 a.m. UTC | #4 
Hello Jason,

+-- On Fri, 23 Sep 2016, Jason Wang wrote --+
| Actually the patch does not apply cleanly. Please fix and repost.

  The 'net: imx:...' patch is for v2.6 series. I missed to indicate that in 
Patch v2. Could you please try it with v2.6?

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
Prasad Pandit Jan. 26, 2017, 5:48 p.m. UTC | #5 
Hello Jason,

+-- On Mon, 26 Sep 2016, P J P wrote --+
| +-- On Fri, 23 Sep 2016, Jason Wang wrote --+
| | Actually the patch does not apply cleanly. Please fix and repost.
| 
|   The 'net: imx:...' patch is for v2.6 series. I missed to indicate that in 
| Patch v2. Could you please try it with v2.6?

This patch still isn't merged upstream it seems. Could you please check?

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
Prasad Pandit Feb. 2, 2017, 9:51 a.m. UTC | #6 
+-- On Thu, 26 Jan 2017, P J P wrote --+
| +-- On Mon, 26 Sep 2016, P J P wrote --+
| | +-- On Fri, 23 Sep 2016, Jason Wang wrote --+
| | | Actually the patch does not apply cleanly. Please fix and repost.
| | 
| |   The 'net: imx:...' patch is for v2.6 series. I missed to indicate that 
| | in Patch v2. Could you please try it with v2.6?
| 
| This patch still isn't merged upstream it seems. Could you please check?

@Jason:..ping!?
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
Prasad Pandit Feb. 2, 2017, 11:05 a.m. UTC | #7 
Hello Jason,

+-- On Thu, 26 Jan 2017, P J P wrote --+
| This patch still isn't merged upstream it seems. Could you please check?

  -> https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg00380.html

I have sent a revised patch v3. Please consider this one.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
diff mbox

Patch

diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
index e60e338..547fa99 100644
--- a/hw/net/imx_fec.c
+++ b/hw/net/imx_fec.c
@@ -94,6 +94,8 @@  static const VMStateDescription vmstate_imx_fec = {
 #define PHY_INT_PARFAULT            (1 << 2)
 #define PHY_INT_AUTONEG_PAGE        (1 << 1)
 
+#define IMX_MAX_DESC                1024
+
 static void imx_fec_update(IMXFECState *s);
 
 /*
@@ -264,12 +266,12 @@  static void imx_fec_update(IMXFECState *s)
 
 static void imx_fec_do_tx(IMXFECState *s)
 {
-    int frame_size = 0;
+    int frame_size = 0, descnt = 0;
     uint8_t frame[FEC_MAX_FRAME_SIZE];
     uint8_t *ptr = frame;
     uint32_t addr = s->tx_descriptor;
 
-    while (1) {
+    while (descnt++ < IMX_MAX_DESC) {
         IMXFECBufDesc bd;
         int len;