* Philippe Mathieu-Daudé <f4...@amsat.org>: > Attempt to fix the launchpad bug filled by Helge: > > In a qemu-system-hppa system, qemu release v5.0.0-rc, > the tulip nic driver is broken. The tulip nic is detected, > even getting DHCP info does work. But when trying to > download bigger files via network, the tulip driver gets > stuck. > > Philippe Mathieu-Daudé (3): > hw/net/tulip: Fix 'Descriptor Error' definition > hw/net/tulip: Log descriptor overflows > hw/net/tulip: Set descriptor error bit when lenght is incorrect > > hw/net/tulip.h | 2 +- > hw/net/tulip.c | 32 ++++++++++++++++++++++++++++---- > 2 files changed, 29 insertions(+), 5 deletions(-)
Philippe, thanks for your efforts. Sadly your patch did not fixed the bug itself, but it had some nice cleanups which should be included at some point. Regarding the tulip hang reported by me, the patch below does fix the issue. [PATCH] Fix tulip rx hang Cc: Prasad J Pandit <p...@fedoraproject.org> Fixes: 8ffb7265af ("check frame size and r/w data length") Buglink: https://bugs.launchpad.net/bugs/1874539 Signed-off-by: Helge Deller <del...@gmx.de> Commit 8ffb7265af ("check frame size and r/w data length") introduced checks to prevent accesses outside of the rx/tx buffers. But the new checks were plain wrong. rx_frame_len does count backwards, and the surrounding code ensures that rx_frame_len will not be bigger than rx_frame_size. Remove those checks again. diff --git a/hw/net/tulip.c b/hw/net/tulip.c index 1295f51d07..59d21defcc 100644 --- a/hw/net/tulip.c +++ b/hw/net/tulip.c @@ -171,9 +171,6 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc) len = s->rx_frame_len; } - if (s->rx_frame_len + len > sizeof(s->rx_frame)) { - return; - } pci_dma_write(&s->dev, desc->buf_addr1, s->rx_frame + (s->rx_frame_size - s->rx_frame_len), len); s->rx_frame_len -= len; @@ -186,9 +183,6 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc) len = s->rx_frame_len; } - if (s->rx_frame_len + len > sizeof(s->rx_frame)) { - return; - } pci_dma_write(&s->dev, desc->buf_addr2, s->rx_frame + (s->rx_frame_size - s->rx_frame_len), len); s->rx_frame_len -= len;