diff mbox

net: rtl8139: limit processing of ring descriptors

Message ID 1477051769-4891-1-git-send-email-ppandit@redhat.com (mailing list archive)
State New, archived
Headers show

Commit Message

Prasad Pandit Oct. 21, 2016, 12:09 p.m. UTC
From: Prasad J Pandit <pjp@fedoraproject.org>

RTL8139 ethernet controller in C+ mode supports multiple
descriptor rings, each with maximum of 64 descriptors. While
processing transmit descriptor ring in 'rtl8139_cplus_transmit',
it does not limit the descriptor count and runs forever. Add
check to avoid it.

Reported-by: Andrew Henderson <hendersa@icculus.org>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 hw/net/rtl8139.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Jason Wang Oct. 24, 2016, 6:43 a.m. UTC | #1
On 2016年10月21日 20:09, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> RTL8139 ethernet controller in C+ mode supports multiple
> descriptor rings, each with maximum of 64 descriptors. While
> processing transmit descriptor ring in 'rtl8139_cplus_transmit',
> it does not limit the descriptor count and runs forever. Add
> check to avoid it.
>
> Reported-by: Andrew Henderson <hendersa@icculus.org>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
>   hw/net/rtl8139.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
> index 3345bc6..f05e59c 100644
> --- a/hw/net/rtl8139.c
> +++ b/hw/net/rtl8139.c
> @@ -2350,7 +2350,7 @@ static void rtl8139_cplus_transmit(RTL8139State *s)
>   {
>       int txcount = 0;
>   
> -    while (rtl8139_cplus_transmit_one(s))
> +    while (txcount < 64 && rtl8139_cplus_transmit_one(s))
>       {
>           ++txcount;
>       }

Applied to -net, thanks.
Prasad Pandit Oct. 24, 2016, 9:30 a.m. UTC | #2
Hello Jason,

+-- On Mon, 24 Oct 2016, Jason Wang wrote --+
| > RTL8139 ethernet controller in C+ mode supports multiple
| > descriptor rings, each with maximum of 64 descriptors. While
| > processing transmit descriptor ring in 'rtl8139_cplus_transmit',
| > it does not limit the descriptor count and runs forever.
| >
| > diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
| > index 3345bc6..f05e59c 100644
| > --- a/hw/net/rtl8139.c
| > +++ b/hw/net/rtl8139.c
| > @@ -2350,7 +2350,7 @@ static void rtl8139_cplus_transmit(RTL8139State *s)
| >   {
| >       int txcount = 0;
| >   -    while (rtl8139_cplus_transmit_one(s))
| > +    while (txcount < 64 && rtl8139_cplus_transmit_one(s))
| >       {
| >           ++txcount;
| >       }
| 
| Applied to -net, thanks.

  Thank you. CC'ing '-stable' as it affects older versions too; Was introduced 
in commit

  -> git.qemu.org/?p=qemu.git;a=commit;h=49ab747f668f421138d5b40d83fa279c4


Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
diff mbox

Patch

diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
index 3345bc6..f05e59c 100644
--- a/hw/net/rtl8139.c
+++ b/hw/net/rtl8139.c
@@ -2350,7 +2350,7 @@  static void rtl8139_cplus_transmit(RTL8139State *s)
 {
     int txcount = 0;
 
-    while (rtl8139_cplus_transmit_one(s))
+    while (txcount < 64 && rtl8139_cplus_transmit_one(s))
     {
         ++txcount;
     }