summaryrefslogtreecommitdiffstats
path: root/hw/net/vmxnet3.c
diff options
context:
space:
mode:
authorShmulik Ladkani2015-10-15 12:54:30 +0200
committerJason Wang2015-10-27 03:30:38 +0100
commiteedeeeffd419ab149e0b0ad5fc4b7cf5e1db6274 (patch)
tree3214b3c8d13808a77f5b68438df25a6120e27e22 /hw/net/vmxnet3.c
parentoptions: Add documentation for filter-dump (diff)
downloadqemu-eedeeeffd419ab149e0b0ad5fc4b7cf5e1db6274.tar.gz
qemu-eedeeeffd419ab149e0b0ad5fc4b7cf5e1db6274.tar.xz
qemu-eedeeeffd419ab149e0b0ad5fc4b7cf5e1db6274.zip
vmxnet3: Do not fill stats if device is inactive
Guest OS may issue VMXNET3_CMD_GET_STATS even before device was activated (for example in linux, after insmod but prior net-dev open). Accessing shared descriptors prior device activation is illegal as the VMXNET3State structures have not been fully initialized. As a result, guest memory gets corrupted and may lead to guest OS crashes. Fix, by not filling the stats descriptors if device is inactive. Reported-by: Leonid Shatz <leonid.shatz@ravellosystems.com> Acked-by: Dmitry Fleytman <dmitry@daynix.com> Signed-off-by: Dana Rubin <dana.rubin@ravellosystems.com> Signed-off-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
Diffstat (limited to 'hw/net/vmxnet3.c')
-rw-r--r--hw/net/vmxnet3.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index 3c5e10dd6d..5e3a233237 100644
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@@ -1289,6 +1289,10 @@ static uint32_t vmxnet3_get_interrupt_config(VMXNET3State *s)
static void vmxnet3_fill_stats(VMXNET3State *s)
{
int i;
+
+ if (!s->device_active)
+ return;
+
for (i = 0; i < s->txq_num; i++) {
cpu_physical_memory_write(s->txq_descr[i].tx_stats_pa,
&s->txq_descr[i].txq_stats,