From b0b900070c7cb29bbefb732ec00397abe5de6d73 Mon Sep 17 00:00:00 2001 From: "Michael S. Tsirkin" Date: Mon, 12 Jul 2010 20:24:59 +0300 Subject: e1000: fix access 4 bytes beyond buffer end We do range check for size, and get size as buffer, but copy size + 4 bytes (4 is for FCS). Let's copy size bytes but put size + 4 in length. Signed-off-by: Michael S. Tsirkin --- hw/e1000.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'hw') diff --git a/hw/e1000.c b/hw/e1000.c index 0da65f9a34..70aba11296 100644 --- a/hw/e1000.c +++ b/hw/e1000.c @@ -649,7 +649,6 @@ e1000_receive(VLANClientState *nc, const uint8_t *buf, size_t size) } rdh_start = s->mac_reg[RDH]; - size += 4; // for the header do { if (s->mac_reg[RDH] == s->mac_reg[RDT] && s->check_rxov) { set_ics(s, 0, E1000_ICS_RXO); @@ -663,7 +662,7 @@ e1000_receive(VLANClientState *nc, const uint8_t *buf, size_t size) if (desc.buffer_addr) { cpu_physical_memory_write(le64_to_cpu(desc.buffer_addr), (void *)(buf + vlan_offset), size); - desc.length = cpu_to_le16(size); + desc.length = cpu_to_le16(size + 4 /* for FCS */); desc.status |= E1000_RXD_STAT_EOP|E1000_RXD_STAT_IXSM; } else // as per intel docs; skip descriptors with null buf addr DBGOUT(RX, "Null RX descriptor!!\n"); -- cgit v1.2.3 From 55e8d1ce6b09300cc5f3adcd9a705156d168381d Mon Sep 17 00:00:00 2001 From: "Michael S. Tsirkin" Date: Mon, 12 Jul 2010 20:41:02 +0300 Subject: e1000: secrc support Add support for secrc field. Reportedly needed by old RHEL guests. Signed-off-by: Michael S. Tsirkin --- hw/e1000.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'hw') diff --git a/hw/e1000.c b/hw/e1000.c index 70aba11296..8d87492e0b 100644 --- a/hw/e1000.c +++ b/hw/e1000.c @@ -344,6 +344,15 @@ is_vlan_txd(uint32_t txd_lower) return ((txd_lower & E1000_TXD_CMD_VLE) != 0); } +/* FCS aka Ethernet CRC-32. We don't get it from backends and can't + * fill it in, just pad descriptor length by 4 bytes unless guest + * told us to trip it off the packet. */ +static inline int +fcs_len(E1000State *s) +{ + return (s->mac_reg[RCTL] & E1000_RCTL_SECRC) ? 0 : 4; +} + static void xmit_seg(E1000State *s) { @@ -662,7 +671,7 @@ e1000_receive(VLANClientState *nc, const uint8_t *buf, size_t size) if (desc.buffer_addr) { cpu_physical_memory_write(le64_to_cpu(desc.buffer_addr), (void *)(buf + vlan_offset), size); - desc.length = cpu_to_le16(size + 4 /* for FCS */); + desc.length = cpu_to_le16(size + fcs_len(s)); desc.status |= E1000_RXD_STAT_EOP|E1000_RXD_STAT_IXSM; } else // as per intel docs; skip descriptors with null buf addr DBGOUT(RX, "Null RX descriptor!!\n"); -- cgit v1.2.3 From d154e0bafbd51bfd029ade9f1362bdff612b0f55 Mon Sep 17 00:00:00 2001 From: "Michael S. Tsirkin" Date: Fri, 16 Jul 2010 17:11:46 +0300 Subject: vhost: fix miration during device start We need to know ring layout to allocate log buffer. So init rings first. Also fixes a theoretical memory-leak-on-error. https://bugzilla.redhat.com/show_bug.cgi?id=615228 Signed-off-by: Michael S. Tsirkin Tested-by: Gerd Hoffmann --- hw/vhost.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) (limited to 'hw') diff --git a/hw/vhost.c b/hw/vhost.c index d37a66e0ea..65709d005d 100644 --- a/hw/vhost.c +++ b/hw/vhost.c @@ -659,6 +659,16 @@ int vhost_dev_start(struct vhost_dev *hdev, VirtIODevice *vdev) r = -errno; goto fail; } + for (i = 0; i < hdev->nvqs; ++i) { + r = vhost_virtqueue_init(hdev, + vdev, + hdev->vqs + i, + i); + if (r < 0) { + goto fail_vq; + } + } + if (hdev->log_enabled) { hdev->log_size = vhost_get_log_size(hdev); hdev->log = hdev->log_size ? @@ -667,19 +677,10 @@ int vhost_dev_start(struct vhost_dev *hdev, VirtIODevice *vdev) (uint64_t)(unsigned long)hdev->log); if (r < 0) { r = -errno; - goto fail; - } - } - - for (i = 0; i < hdev->nvqs; ++i) { - r = vhost_virtqueue_init(hdev, - vdev, - hdev->vqs + i, - i); - if (r < 0) { goto fail_vq; } } + hdev->started = true; return 0; -- cgit v1.2.3